Solved: Can one search trigger another?

a212830 · ‎01-23-2017

Hi,

Is there a way for one search, once it's complete, to trigger another search?

woodcock · ‎01-23-2017

You can use depends in dashboards so that when one panel completes, the dependent panel will start. The closest that you can do for an ad-hoc search is to pull a saved search into another search like this:

You First Search | appendpipe [ | savedsearch Your:Second:Search ]

You can run splunk searches from the CLI so you could setup a cron like this:

00 12 * * * * /opt/splunk/bin/splunk Your First Search Details Here && /opt/splunk/bin/splunk Your Second Search Details Here

You could also make the first search an alert with an always trigger action to call a custom script that does the second part (like the CLI/cron).

I have asked for this feature for saved searches but do not expect any action.

View solution in original post

sloshburch · ‎01-25-2017

I'm still a fan of the post processing. If the panels are all similar base searches then a post processing is the strongest approach because it has the least dependencies and only moderate complexity.

Alternatively, an accelerated data model could help them render any such searches with speed.

arkadyz1 · ‎01-23-2017

This is too wide and too vague of a question. One potential solution: if you are ready to work with JavaScript, you should be able to achieve this, watching for search:done event of a search.

somesoni2 · ‎01-23-2017

Could you add more details on what each of the search does and what creates the dependency on the order?

a212830 · ‎01-24-2017

I have a customer who has a dashboard with lots of panels - 10/12. I'd rather not have that many searches kick off at once, and according to the customer, these panels aren't used enough to justify him scheduling the search (plus, he''d prefer it to be current). I thought a good alternative would be to have some of these searches kick off other searches, if possible. I've also explained the concept of post-processing to the customer, and he is looking into that possibility.

woodcock · ‎01-24-2017

Look at using a base search in your dashboard and if that won't work, you can stage the searches in the panels with depends as I described in my answer.

woodcock · ‎01-23-2017

You can use depends in dashboards so that when one panel completes, the dependent panel will start. The closest that you can do for an ad-hoc search is to pull a saved search into another search like this:

You First Search | appendpipe [ | savedsearch Your:Second:Search ]

You can run splunk searches from the CLI so you could setup a cron like this:

00 12 * * * * /opt/splunk/bin/splunk Your First Search Details Here && /opt/splunk/bin/splunk Your Second Search Details Here

You could also make the first search an alert with an always trigger action to call a custom script that does the second part (like the CLI/cron).

I have asked for this feature for saved searches but do not expect any action.

skoelpin · ‎01-23-2017

I would agree that using options in your dashboard is the best approach to have a second search triggered by the first

gcusello · ‎01-23-2017

Hi a212830,
I don't think that it's possible, You could create and schedule an alert (first search) that as action runs a script that contain the second search, but I don't know if this is what you need!
Bye.
Giuseppe

Can one search trigger another?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?