Splunk Commands – Append , Chart and Dedup


We have already gone through the five golden search commands. Here we are going to see the next 3 commands:

  • Append
  • Chart
  • Dedup


Use the append command to append the results of a sub search to the results of your current search. In a simpler way, we can say it will combine 2 search queries and produce a single result. The append command will run only over historical data; it will not produce correct results if used in a real-time search.


Appends subsearch results to current results.


append [subsearch-options]*subsearch

Required arguments:


Description: A search pipeline. Read more about how sub searches work in the Search manual.

Optional arguments:


Syntax: maxtime=<int> | maxout=<int> | timeout=<int>

Description: Controls how the subsearch is executed.

Subsearch options:


Syntax: maxtime=<int>

Description: The maximum time (in seconds) to spend on the subsearch before automatically finalizing. Defaults to 60.


Syntax: maxout=<int>

Description: The maximum number of result rows to output from the subsearch. Defaults to 50000.


Syntax: timeout=<int>

Description: The maximum time (in seconds) to wait for subsearch to fully finish. Defaults to 120.


Scenario 1:

There was a sudden increase in the logins and analysts were not sure from where it got initiated. So, the user tried to gather the action and to Identify the logon type initiated the connection with the below query:

|search index=”wineventlog” EventCode=4624

| stats count by action

| append [ search sourcetype=WinEventLog | stats count by Logon_Type ]

In the first search query, we have specified index and success logon event code and then produce the output with stats count command to give the exact count of success login as the first search. That’s the result in the first line. Then we have used the append command to combine the 2nd search which will also add the count of logon_type.


Scenario 2:

Security analysts need to fetch the count of interactive logon events and the total number of failed and success logon count at the time.

sourcetype=WinEventLogEventCode=4624 OR EventCode=4625

| where Logon_Type=2

| stats count by action

| append [ search sourcetype=WinEventLog | where EventCode IN (4624,4625) | stats count ]

In the 1st search query, we have produced the successful and failed action counts of the interactive login.

That’s the result in the first line. Then we have used the append command in the 2nd query and produced the total count of the success & failed event code logs. That’s the count in the second line.


Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes


Use the chart command to create charts that can display any series of data that you want to plot. You can decide what field is tracked on the x-axis of the chart. The chart, time chart, stats, event stats, and stream stats are all designed to work in conjunction with statistical functions.


Returns results in a tabular output for charting.


chart [sep=<string>] [cont=<bool>] [limit=<int>] [agg=<stats-agg-term>] (

<stats-agg-term> | <sparkline-agg-term> | <eval-expression>…) [ by <field>

(<bucketing-option> )… [<split-by-clause>] ] | [ over <field>

(<bucketing-option>)… (by <split-by-clause>] ]

Required arguments


Syntax: agg=<stats-agg-term>

Description: Specify an aggregator or function. For a list of stats functions with descriptions and examples, see “Functions for stats, chart, and timechart”.


Syntax: <sparkline-agg> [AS <wc-field>]

Description: A sparkline specifier option all renamed to a new field.


Syntax: <eval-math-exp> | <eval-concat-exp> | <eval-compare-exp> |

<eval-bool-exp> | <eval-function-call>

Description: A combination of literals, fields, operators, and functions that represent the value of your destination field. For more information, see the Functions for eval. For these evaluations to work, your values need to be valid for the type of operation. For example, with the exception of addition, arithmetic operations may not produce valid results if the values are not numerical. Additionally, Splunk can concatenate the two operands if they are both strings. When concatenating values with ‘.’, Splunk treats both values as strings regardless of their actual type.

Optional arguments


Syntax: <stats-agg-term>

Description: For a list of stats functions with descriptions and examples, see “Functions for stats, chart, and timechart”.


Syntax: bins | span | <start-end>

Description: Discretization options. If a bucketing option is not supplied, timechart defaults to bins=300. This finds the smallest bucket size that results in no more than 300 distinct buckets.


Syntax: <bool>

Description: Specifies whether it is continuous or not.


Syntax: <int>

Description: Specify a limit for series filtering; limit=0 means no filtering.


Syntax: count|<stats-func>(<field>)

Description: A single aggregation applied to a single field (can be evaled field). No wildcards are allowed. The field must be specified, except when using the special count aggregator that applies to events as a whole.


Syntax: sep=<string>

Description: Used to construct output field names when multiple data series are used in conjunctions with a split-by field.


Syntax: <field> (<tc-option>)* [<where-clause>]

Description: Specifies a field to split by. If the field is numerical, default discretization is applied; discretization is defined with tc-option.


With the use of chart command, displayed the results of login action count in form of a chart.


| chart count by action span=log2


Also Read: Latest Cyber Security News – Hacker News !



The dedup command lets you specify the number of duplicate events to keep based on the values of a field. You may also use the dedup command to sort by a set of fields. This will delete all duplicates before sorting the results by the sort-by field you specify. It’s worth noting that this will only work if your search yields several results. The other options allow you to provide additional criteria. For example, you might wish to maintain all events but eliminate duplicate values instead of the entire event. If you’re searching through a big amount of data, you won’t be able to use the dedup command against the _raw field. Doing this will impact your search performance.


Removes the subsequent duplicate results that match specified criteria.


dedup [<N>] <field-list> [keepevents=<bool>] [keepempty=<bool>] [consecutive=<bool>] [sortby <sort-by-clause>]

 Required arguments


Syntax: <string> <string> …

Description: A list of field names.

 Optional arguments


Syntax: consecutive=<bool>

Description: Specify whether to only remove duplicate events that are consecutive (true). Defaults to false.


Syntax: keepempty=<bool>

Description: If an event contains a null value for one or more of the

specified fields, the event is either retained (true) or discarded. Defaults to false.


Syntax: keepevents=<bool>

Description: When true, keep all events and remove specific values.

Defaults to false.


Syntax: <int>

Description: Specify the first N (where N > 0) number of events to keep, for each combination of values for the specified field(s). The non-option parameter, if it is a number, is interpreted as N.


Syntax: ( – | + ) <sort-field>

Description: List of fields to sort by and their order, descending ( – ) or

ascending ( + ).

 Sort field options


Syntax: <field> | auto(<field>) | str(<field>) | ip(<field>) | num(<field>)

Description: Options for sort-field.


Syntax: <string>

Description: The name of the field to sort.


Syntax: auto(<field>)

Description: Determine automatically how to sort the field’s values.


Syntax: ip(<field>)

Description: Interpret the field’s values as an IP address.


Syntax: num(<field>)

Description: Treat the field’s values as numbers.


Syntax: str(<field>)

Description: Order the field’s values lexicographically.


Scenario 1:

Remove duplicate results based on one field.

“| search app=web-browsing dest_ip!=10* | table dest_ip | dedup dest_ip”

The above query will show the unique IP results of the outbound browsing connections excluding the internal connections.

Scenario 2:

Keep the first 3 duplicate results

“| search app=web-browsing dest_ip!=10* | table dest_ip | dedup3 dest_ip”

The above query will show the results of the outbound browsing IP connections excluding the internal connections. Here since we include 3 after dedup, the first 3 duplicate entries will be displayed.

Scenario 3:

Keep results that have the same combination of values in multiple fields

“| search app=web-browsing dest_ip!=10* | table dest_ip | dedup 2 dest_ip, user”

The above search query will results in the same combination of destination IP AND user values, keep the first 2 that occur, and remove all subsequent values.

Previous articleBazarLoader IoC – Actors Initiate Contact via Website Contact Forms
Next articleUkraine’s CERT Warns Threat Actors For Fake AV Updates
Anusthika Jeyashankar
Ambitious Blue Teamer; Enthused Security Analyst


Please enter your comment!
Please enter your name here