Splunk Search

How to add delay between two commands in search

ankithreddy777
Contributor

Hi, How can I add delay between two commands in Splunk.
I have a scenario,
1) where I will append the search results to existing lookup file,
2) in second step I need to retrieve complete results and perform lookup activities search results in this step

If I use in single query, I am worried that before exporting results to lookup file the second query may execute. SO thinking to add delay between to commands

Simply:
After using |outputlookup command to export results to file, I need to use lookup command to map latest results in file to specific search results. But worries if lookup command executes parallel with outputlookup command, Which will happed incomplete result mapping

Is it possible?

Tags (2)
0 Karma

flle
Path Finder

Hi ankithreddy777,

not sure if the question is still relevant, but as I had a similar issue ( I think) I will share my solution.

If I interpret your question correctly, you have something like:

search ... | processing ... 
| outputlookup append=true file_1.csv 
| append 
    [ inputlookup file_1.csv | lookup ... | processing and merging... ]
| final processing or outputlookup

If this is your szenario, then your first outputlookup will have the results of your initial search appended correctly, BUT the inputlookup file_1.csv in the append section is subsearch and will get parsed and dispatched before your outer search, so it will take the version of file_1.csv before the results from your search have been appended.
The append command appends the results of a subsearch to the current results.

To solve this, you can just replace append by appendpipe.
This appends the result of the subpipeline to the search results. Unlike a subsearch, the subpipeline is not run first. The subpipeline is run when the search reaches the appendpipe command.

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Commands on a single query are executed in the sequence they appear in the SPL. The next processing step in the search is not started until the previous step has completed.
So, if you do somesearch | outputlookup blah | someothercommand that uses the lookup, someothercommand will not start until the outputlookup has returned/completed.

ankithreddy777
Contributor

Hi ssievert,
Thank you for the response. Does this apply to sub searches also.
I thought sub-search part of |append command executes parallel with main search. I am right?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ankithreddy777,
could you share more details?
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...