penghuo
diff --git a/‎docs/user/ppl/otel/cmd/addcoltotals.md‎
Lines changed: 74 additions & 0 deletions b/‎docs/user/ppl/otel/cmd/addcoltotals.md‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎docs/user/ppl/otel/cmd/addtotals.md‎
Lines changed: 78 additions & 0 deletions b/‎docs/user/ppl/otel/cmd/addtotals.md‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎docs/user/ppl/otel/cmd/append.md‎
Lines changed: 86 additions & 0 deletions b/‎docs/user/ppl/otel/cmd/append.md‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎docs/user/ppl/otel/cmd/appendcol.md‎
Lines changed: 90 additions & 0 deletions b/‎docs/user/ppl/otel/cmd/appendcol.md‎
Lines changed: 90 additions & 0 deletions
diff --git a/‎docs/user/ppl/otel/cmd/appendpipe.md‎
Lines changed: 59 additions & 0 deletions b/‎docs/user/ppl/otel/cmd/appendpipe.md‎
Lines changed: 59 additions & 0 deletions
@@ -0,0 +1,74 @@
+# addcoltotals (otellogs)
+
+The `addcoltotals` command computes the sum of each column and adds a summary row showing the total.
+
+## Example 1: Basic example
+
+```ppl
+source=otellogs
+| sort @timestamp
+| fields severityText, severityNumber, flags
+| head 3
+| addcoltotals labelfield='severityText'
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 4/4
++--------------+----------------+-------+
+| severityText | severityNumber | flags |
+|--------------+----------------+-------|
+| INFO         | 9              | 1     |
+| ERROR        | 17             | 1     |
+| WARN         | 13             | 0     |
+| Total        | 39             | 2     |
++--------------+----------------+-------+
+```
+
+
+## Example 2: Adding column totals with custom label
+
+```ppl
+source=otellogs
+| stats count() by flags
+| addcoltotals `count()` label='Sum' labelfield='Total'
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 3/3
++---------+-------+-------+
+| count() | flags | Total |
+|---------+-------+-------|
+| 2       | 1     | null  |
+| 30      | 0     | null  |
+| 32      | null  | Sum   |
++---------+-------+-------+
+```
+
+
+## Example 3: Using all options with stats
+
+```ppl
+source=otellogs
+| where severityNumber > 10
+| stats avg(severityNumber) as avg_sev, count() as count by flags
+| head 3
+| addcoltotals avg_sev, count label='Sum' labelfield='Column Total'
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 3/3
++---------+-------+-------+--------------+
+| avg_sev | count | flags | Column Total |
+|---------+-------+-------+--------------|
+| 17.0    | 1     | 1     | null         |
+| 16.0    | 15    | 0     | null         |
+| 33.0    | 16    | null  | Sum          |
++---------+-------+-------+--------------+
+```
+
@@ -0,0 +1,78 @@
+# addtotals (otellogs)
+
+The `addtotals` command computes the sum of numeric fields and can create both column totals (summary row) and row totals (new field).
+
+## Example 1: Basic example with column totals
+
+```ppl
+source=otellogs
+| sort @timestamp
+| head 3
+| fields severityText, severityNumber, flags
+| addtotals col=true labelfield='severityText' label='Total'
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 4/4
++--------------+----------------+-------+-------+
+| severityText | severityNumber | flags | Total |
+|--------------+----------------+-------+-------|
+| INFO         | 9              | 1     | 10    |
+| ERROR        | 17             | 1     | 18    |
+| WARN         | 13             | 0     | 13    |
+| Total        | 39             | 2     | null  |
++--------------+----------------+-------+-------+
+```
+
+
+## Example 2: Column totals without row totals
+
+```ppl
+source=otellogs
+| sort @timestamp
+| fields severityText, severityNumber, flags
+| head 4
+| addtotals col=true row=false label='Sum' labelfield='Total'
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 5/5
++--------------+----------------+-------+-------+
+| severityText | severityNumber | flags | Total |
+|--------------+----------------+-------+-------|
+| INFO         | 9              | 1     | null  |
+| ERROR        | 17             | 1     | null  |
+| WARN         | 13             | 0     | null  |
+| DEBUG        | 5              | 0     | null  |
+| null         | 44             | 2     | Sum   |
++--------------+----------------+-------+-------+
+```
+
+
+## Example 3: Using all options
+
+```ppl
+source=otellogs
+| where severityNumber > 10
+| stats avg(severityNumber) as avg_sev, count() as count by flags
+| head 3
+| addtotals avg_sev, count row=true col=true fieldname='Row Total' label='Sum' labelfield='Column Total'
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 3/3
++---------+-------+-------+-----------+--------------+
+| avg_sev | count | flags | Row Total | Column Total |
+|---------+-------+-------+-----------+--------------|
+| 17.0    | 1     | 1     | 18.0      | null         |
+| 16.0    | 15    | 0     | 31.0      | null         |
+| 33.0    | 16    | null  | null      | Sum          |
++---------+-------+-------+-----------+--------------+
+```
+
@@ -0,0 +1,86 @@
+# append (otellogs)
+
+The `append` command appends the results of a subsearch as additional rows to the end of the input search results.
+
+## Example 1: Append rows from a count aggregation
+
+The following query appends count by severityText to sum by severityText and flags:
+
+```ppl
+source=otellogs
+| stats sum(severityNumber) by severityText, flags
+| sort - `sum(severityNumber)`
+| head 3
+| append [ source=otellogs | stats count(severityNumber) by severityText | sort - `count(severityNumber)` | head 3 ]
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 6/6
++---------------------+--------------+-------+-----------------------+
+| sum(severityNumber) | severityText | flags | count(severityNumber) |
+|---------------------+--------------+-------+-----------------------|
+| 24                  | FATAL4       | 0     | null                  |
+| 23                  | FATAL3       | 0     | null                  |
+| 22                  | FATAL2       | 0     | null                  |
+| null                | INFO         | null  | 7                     |
+| null                | ERROR        | null  | 2                     |
+| null                | WARN         | null  | 2                     |
++---------------------+--------------+-------+-----------------------+
+```
+
+
+## Example 2: Append rows with merged column names
+
+The following query appends rows from sum by severityText to sum by severityText and flags, merging columns with the same field name:
+
+```ppl
+source=otellogs
+| stats sum(severityNumber) as total by severityText, flags
+| sort - total
+| head 3
+| append [ source=otellogs | stats sum(severityNumber) as total by severityText | sort - total | head 3 ]
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 6/6
++-------+--------------+-------+
+| total | severityText | flags |
+|-------+--------------+-------|
+| 24    | FATAL4       | 0     |
+| 23    | FATAL3       | 0     |
+| 22    | FATAL2       | 0     |
+| 63    | INFO         | null  |
+| 34    | ERROR        | null  |
+| 26    | WARN         | null  |
++-------+--------------+-------+
+```
+
+
+## Example 3: Append different aggregations
+
+The following query appends average severity numbers to maximum severity numbers:
+
+```ppl
+source=otellogs
+| stats max(severityNumber) as severity by flags
+| append [ source=otellogs | stats avg(severityNumber) as severity by flags ]
+| sort flags, severity
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 4/4
++--------------------+-------+
+| severity           | flags |
+|--------------------+-------|
+| 12.466666666666667 | 0     |
+| 24                 | 0     |
+| 13.0               | 1     |
+| 17                 | 1     |
++--------------------+-------+
+```
@@ -0,0 +1,90 @@
+# appendcol (otellogs)
+
+The `appendcol` command appends the result of a subsearch as additional columns to the input search results.
+
+## Example 1: Append count aggregation to existing results
+
+```ppl
+source=otellogs
+| stats sum(severityNumber) by flags, severityText
+| appendcol [ stats count(severityNumber) by flags ]
+| head 10
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 10/10
++-------+--------------+---------------------+----------------------+
+| flags | severityText | sum(severityNumber) | count(severityNumber) |
+|-------+--------------+---------------------+----------------------|
+| 0     | DEBUG        | 5                   | 30                   |
+| 0     | DEBUG2       | 6                   | 2                    |
+| 0     | DEBUG3       | 7                   | null                 |
+| 0     | DEBUG4       | 8                   | null                 |
+| 0     | ERROR        | 17                  | null                 |
+| 0     | ERROR2       | 18                  | null                 |
+| 0     | ERROR3       | 19                  | null                 |
+| 0     | ERROR4       | 20                  | null                 |
+| 0     | FATAL        | 21                  | null                 |
+| 0     | FATAL2       | 22                  | null                 |
++-------+--------------+---------------------+----------------------+
+```
+
+
+## Example 2: Append count with override
+
+```ppl
+source=otellogs
+| stats sum(severityNumber) by flags, severityText
+| appendcol override=true [ stats count(severityNumber) by flags ]
+| head 10
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 10/10
++-------+--------------+---------------------+----------------------+
+| flags | severityText | sum(severityNumber) | count(severityNumber) |
+|-------+--------------+---------------------+----------------------|
+| 0     | DEBUG        | 5                   | 30                   |
+| 1     | DEBUG2       | 6                   | 2                    |
+| 0     | DEBUG3       | 7                   | null                 |
+| 0     | DEBUG4       | 8                   | null                 |
+| 0     | ERROR        | 17                  | null                 |
+| 0     | ERROR2       | 18                  | null                 |
+| 0     | ERROR3       | 19                  | null                 |
+| 0     | ERROR4       | 20                  | null                 |
+| 0     | FATAL        | 21                  | null                 |
+| 0     | FATAL2       | 22                  | null                 |
++-------+--------------+---------------------+----------------------+
+```
+
+
+## Example 3: Append multiple subsearch results
+
+```ppl
+source=otellogs
+| sort @timestamp
+| fields severityText, severityNumber, flags
+| head 5
+| appendcol [ stats avg(severityNumber) as avg_sev ]
+| appendcol [ stats max(severityNumber) as max_sev ]
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 5/5
++--------------+----------------+-------+--------------------+---------+
+| severityText | severityNumber | flags | avg_sev            | max_sev |
+|--------------+----------------+-------+--------------------+---------|
+| INFO         | 9              | 1     | 12.5               | 24      |
+| ERROR        | 17             | 1     | null               | null    |
+| WARN         | 13             | 0     | null               | null    |
+| DEBUG        | 5              | 0     | null               | null    |
+| INFO         | 9              | 0     | null               | null    |
++--------------+----------------+-------+--------------------+---------+
+```
+
@@ -0,0 +1,59 @@
+# appendpipe (otellogs)
+
+The `appendpipe` command appends the results of a subpipeline to the search results.
+
+## Example 1: Append rows from total count to existing results
+
+```ppl
+source=otellogs
+| stats sum(severityNumber) as part by flags, severityText
+| sort -part
+| head 5
+| appendpipe [ stats sum(part) as total by flags ]
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 7/7
++------+-------+--------------+-------+
+| part | flags | severityText | total |
+|------+-------+--------------+-------|
+| 24   | 0     | FATAL4       | null  |
+| 23   | 0     | FATAL3       | null  |
+| 22   | 0     | FATAL2       | null  |
+| 21   | 0     | FATAL        | null  |
+| 20   | 0     | ERROR4       | null  |
+| null | 0     | null         | 110   |
+| null | 1     | null         | null  |
++------+-------+--------------+-------+
+```
+
+
+## Example 2: Append rows with merged column names
+
+```ppl
+source=otellogs
+| stats sum(severityNumber) as total by flags, severityText
+| sort -total
+| head 5
+| appendpipe [ stats sum(total) as total by flags ]
+```
+
+The query returns the following results:
+
+```text
+fetched rows / total rows = 7/7
++-------+-------+--------------+
+| total | flags | severityText |
+|-------+-------+--------------|
+| 24    | 0     | FATAL4       |
+| 23    | 0     | FATAL3       |
+| 22    | 0     | FATAL2       |
+| 21    | 0     | FATAL        |
+| 20    | 0     | ERROR4       |
+| 110   | 0     | null         |
+| null  | 1     | null         |
++-------+-------+--------------+
+```
+