append

The append command appends the results of a subsearch as additional rows to the end of the input search results (the main search).

The command aligns columns that have the same field names and types. For columns that exist in only the main search or subsearch, NULL values are inserted into the missing fields for the respective rows.

Syntax

The append command has the following syntax:

append <subsearch>

Parameters

The append command supports the following parameters.

Example 1: Appending error and warning counts side by side

The following query shows error counts per service, then appends warning counts from a separate query. This lets you compare error and warning rates across services:

source=otellogs
| where severityText = 'ERROR'
| stats count() as error_count by `resource.attributes.service.name`
| sort - error_count
| append [ source=otellogs | where severityText = 'WARN' | stats count() as warn_count by `resource.attributes.service.name` ]
| sort `resource.attributes.service.name`
| fields `resource.attributes.service.name`, error_count, warn_count

The query returns the following results:

Example 2: Appending summary rows to detail rows

The following query shows severity levels by count, then appends the total count across all levels:

source=otellogs
| stats count() as log_count by severityText
| sort - log_count
| append [ source=otellogs | stats count() as log_count | eval severityText = 'ALL' ]
| fields severityText, log_count

The query returns the following results:

Limitations

The append command has the following limitations:

• Schema compatibility: When fields with the same name exist in both the main search and the subsearch but have incompatible types, the query fails with an error. To avoid type conflicts, ensure that fields with the same name share the same data type. Alternatively, use different field names. You can rename the conflicting fields using eval or select non-conflicting columns using fields.