append
append
Append results from a subsearch to the main search results.
Description
The append command adds results from a subsearch to your main search results. This allows you to combine data from different searches into a single result set, useful for comparing datasets or creating unified views.
Syntax
... | append [maxout=<int>] [<subsearch>]Required Arguments
subsearch
A complete search query enclosed in square brackets. Results are appended to the main search.
Optional Arguments
maxout
Syntax: maxout=<int>
Description: Maximum total rows returned by the subsearch. Increase this if your subsearch needs to return more than the default 10,000 rows.
Default: 10000
Maximum: 100000
Examples
Combine current and historical data
status=500
| append [search status=500 earliest=-7d latest=-1d]Compare two time periods
event_type=login earliest=-1d
| stats count() as today
| append [search event_type=login earliest=-2d latest=-1d | stats count() as yesterday]Combine different sources
source_type="firewall" event_type=block
| append [search source_type="ids" event_type=alert]Add baseline data
* | stats count() by user
| append [search earliest=-30d latest=-7d | stats count() as baseline by user]Union multiple searches
severity=critical
| append [search severity=high priority=urgent]
| dedup _idLarge subsearch with maxout
source_type="firewall"
| append maxout=50000 [search source_type="dns"]Usage Notes
Order preserved: Appended results appear after main search results.
Field alignment: Fields from both searches are combined. Missing fields appear as null.
Deduplication: Use dedup if you need to remove duplicates between searches.
Subsearch limit: Subsearch results are capped at 10,000 rows by default. Use maxout=N to increase the limit (up to 100,000) if your subsearch returns more rows.
Performance: Subsearches run independently and can impact performance.
Related Commands
- join - Combine searches with matching