appendpipe

The appendpipe command appends the results of a subpipeline to the search results. Unlike a subsearch, the subpipeline is not executed first; it runs only when the search reaches the appendpipe command.

The command aligns columns that have the same field names and types. For columns that exist in only the main search or subpipeline, NULL values are inserted into the missing fields for the respective rows.

Syntax

The appendpipe command has the following syntax:

appendpipe [<subpipeline>]

Parameters

The appendpipe command supports the following parameters.

Example 1: Appending a total row to aggregated results

The following query counts logs by severity level, then appends a total row. This is useful for building summary reports that include both breakdowns and totals:

source=otellogs
| stats count() as log_count by severityText
| sort - log_count
| appendpipe [ stats sum(log_count) as total ]
| fields severityText, log_count, total

The query returns the following results:

Example 2: Appending summary statistics to detail rows

The following query shows error counts per service, then appends the overall average error count across all services:

source=otellogs
| where severityText = 'ERROR'
| stats count() as error_count by `resource.attributes.service.name`
| sort - error_count
| appendpipe [ stats avg(error_count) as avg_errors ]
| fields `resource.attributes.service.name`, error_count, avg_errors

The query returns the following results:

Limitations

The appendpipe command has the following limitations:

• Schema compatibility: When fields with the same name exist in both the main search and the subpipeline but have incompatible types, the query fails with an error. To avoid type conflicts, ensure that fields with the same name share the same data type. Alternatively, use different field names. You can rename the conflicting fields using eval or select non-conflicting columns using fields.