topic How to add delay between two commands in search in Splunk Search

How to add delay between two commands in search

ankithreddy777 — Thu, 16 Nov 2017 18:08:27 GMT

Hi, How can I add delay between two commands in Splunk.
I have a scenario,
1) where I will append the search results to existing lookup file,
2) in second step I need to retrieve complete results and perform lookup activities search results in this step

If I use in single query, I am worried that before exporting results to lookup file the second query may execute. SO thinking to add delay between to commands

Simply:
After using |outputlookup command to export results to file, I need to use lookup command to map latest results in file to specific search results. But worries if lookup command executes parallel with outputlookup command, Which will happed incomplete result mapping

Is it possible?

Re: How to add delay between two commands in search

gcusello — Thu, 16 Nov 2017 18:12:31 GMT

Hi ankithreddy777,
could you share more details?
Bye.
Giuseppe

Re: How to add delay between two commands in search

s2_splunk — Thu, 16 Nov 2017 18:30:16 GMT

Commands on a single query are executed in the sequence they appear in the SPL. The next processing step in the search is not started until the previous step has completed.
So, if you do somesearch | outputlookup blah | someothercommand that uses the lookup, someothercommand will not start until the outputlookup has returned/completed.

Re: How to add delay between two commands in search

ankithreddy777 — Thu, 16 Nov 2017 21:52:15 GMT

Hi ssievert,
Thank you for the response. Does this apply to sub searches also.
I thought sub-search part of |append command executes parallel with main search. I am right?

Re: How to add delay between two commands in search

flle — Tue, 29 Sep 2020 17:25:30 GMT

Hi ankithreddy777,

not sure if the question is still relevant, but as I had a similar issue ( I think) I will share my solution.

If I interpret your question correctly, you have something like:

search ... | processing ... 
| outputlookup append=true file_1.csv 
| append 
    [ inputlookup file_1.csv | lookup ... | processing and merging... ]
| final processing or outputlookup

If this is your szenario, then your first outputlookup will have the results of your initial search appended correctly, BUT the inputlookup file_1.csv in the append section is subsearch and will get parsed and dispatched before your outer search, so it will take the version of file_1.csv before the results from your search have been appended.
The append command appends the results of a subsearch to the current results.

To solve this, you can just replace append by appendpipe.
This appends the result of the subpipeline to the search results. Unlike a subsearch, the subpipeline is not run first. The subpipeline is run when the search reaches the appendpipe command.