The append command appends the result of a sub-search and attaches it as additional rows to the bottom of the input search results (The main search).
The command aligns columns with the same field names and types. For different column fields between the main search and sub-search, NULL values are filled in the respective rows.
append <sub-search>
- sub-search: mandatory. Executes PPL commands as a secondary search.
- Schema Compatibility: When fields with the same name exist between the main search and sub-search but have incompatible types, the query will fail with an error. To avoid type conflicts, ensure that fields with the same name have the same data type, or use different field names (e.g., by renaming with
evalor usingfieldsto select non-conflicting columns).
This example appends rows from "count by gender" to "sum by gender, state".
source=accounts | stats sum(age) by gender, state | sort -`sum(age)` | head 5 | append [ source=accounts | stats count(age) by gender ]
Expected output:
fetched rows / total rows = 6/6
+----------+--------+-------+------------+
| sum(age) | gender | state | count(age) |
|----------+--------+-------+------------|
| 36 | M | TN | null |
| 33 | M | MD | null |
| 32 | M | IL | null |
| 28 | F | VA | null |
| null | F | null | 1 |
| null | M | null | 3 |
+----------+--------+-------+------------+
This example appends rows from "sum by gender" to "sum by gender, state" with merged column of same field name and type.
source=accounts | stats sum(age) as sum by gender, state | sort -sum | head 5 | append [ source=accounts | stats sum(age) as sum by gender ]
Expected output:
fetched rows / total rows = 6/6
+-----+--------+-------+
| sum | gender | state |
|-----+--------+-------|
| 36 | M | TN |
| 33 | M | MD |
| 32 | M | IL |
| 28 | F | VA |
| 28 | F | null |
| 101 | M | null |
+-----+--------+-------+