Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you set the order of queries to be run in a...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rbal_splunk
Splunk Employee
08-29-2018
01:36 PM
We have 2 different searches which are interrelated.
1st search is called through a macro which publishes its result into a lookup file.
While 2nd search uses the data from the lookup file(result of macro) to get the desired result.
Currently we are calling the macro in 1st panel, while the 2nd panel has the 2nd search.
Issue:
When we refresh the dashboard both the 1st and 2nd panel are running in parallel. Because of which, we are getting the desired result.
Resolving requirement:
When the dashboard is refreshed, 2nd panel must wait till the search query of 1st panel is complete.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rbal_splunk
Splunk Employee
08-29-2018
01:38 PM
This can be done using token between dashboard Panel.
<form>
<fieldset submitButton="false">
<input type="time" token="time" searchWhenChanged="true">
<label>time</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>run this panel first</title>
<table>
<search>
<query>index=_internal sourcetype=splunkd</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<unset token="NOOP_1"></unset>
</progress>
<done>
<set token="NOOP_1">noop</set>
</done>
</search>
<option name="count">2</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel depends="$NOOP_1$">
<title>run this panel second</title>
<table>
<search>
<query>index=_introspection</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<unset token="NOOP_2"></unset>
</progress>
<done>
<set token="NOOP_2">noop</set>
</done>
</search>
<option name="count">2</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel depends="$NOOP_2$">
<title>run this panel third</title>
<table>
<search>
<query>index=_audit</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<unset token="NOOP_3"></unset>
</progress>
<done>
<set token="NOOP_3">noop</set>
</done>
</search>
<option name="count">2</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<!--row>
<panel depends="$NOOP_3$">
<title>This panel shows execution time of search by search_id</title>
<input type="multiselect" token="sid">
<label>sid</label>
<fieldForLabel>search_id</fieldForLabel>
<fieldForValue>search_id</fieldForValue>
<search>
<query>index=_audit source=*audittrail* host=* action=search info=completed search_id!=*scheduler* search_id!=*SummaryDirector* earliest=-2m@m | convert ctime(exec_time) as exec_time_human | table search_id exec_time_human exec_time _time | dedup search_id | table search_id</query>
<earliest>-15m</earliest>
<latest>now</latest>
<refresh>30s</refresh>
</search>
<delimiter> OR search_id=</delimiter>
</input>
<table>
<search>
<query>index=_audit source=*audittrail* host=* action=search info=completed search_id=$sid$ earliest=-2m@m | convert ctime(exec_time) as exec_time_human | table search_id exec_time_human exec_time _time</query>
<earliest>-5m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row-->
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
08-29-2018
02:35 PM
@rbal_splunk you are hiding the dependent panels until required token is set in the previous panel. However, the dependent search would still execute, whether the panel is displayed or hidden.
If you really want to stop the dependent searches from running you would need to add a dummy dependency of the tokens to respective searches as well. Following is an extended example on similar approach using comment macro.
PS: The macro would need to be defined in Splunk App or made Global depending on need.
<form>
<label>Run search based on order</label>
<fieldset submitButton="false">
<input type="time" token="time" searchWhenChanged="true">
<label>time</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>run this panel first</title>
<table>
<search>
<query>index=_internal sourcetype=splunkd</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<unset token="NOOP_1"></unset>
</progress>
<done>
<set token="NOOP_1">noop</set>
</done>
</search>
<option name="count">2</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel depends="$NOOP_1$">
<title>run this panel second</title>
<table>
<search>
<query>index=_introspection `comment("DO NOT RUN IF $NOOP_1$ IS NOT SET")`</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<unset token="NOOP_2"></unset>
</progress>
<done>
<set token="NOOP_2">noop</set>
</done>
</search>
<option name="count">2</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel depends="$NOOP_2$">
<title>run this panel third</title>
<table>
<search>
<query>index=_audit `comment("DO NOT RUN IF $NOOP_2$ IS NOT SET")`</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<unset token="NOOP_3"></unset>
</progress>
<done>
<set token="NOOP_3">noop</set>
</done>
</search>
<option name="count">2</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rbal_splunk
Splunk Employee
08-29-2018
01:38 PM
This can be done using token between dashboard Panel.
<form>
<fieldset submitButton="false">
<input type="time" token="time" searchWhenChanged="true">
<label>time</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<title>run this panel first</title>
<table>
<search>
<query>index=_internal sourcetype=splunkd</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<unset token="NOOP_1"></unset>
</progress>
<done>
<set token="NOOP_1">noop</set>
</done>
</search>
<option name="count">2</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel depends="$NOOP_1$">
<title>run this panel second</title>
<table>
<search>
<query>index=_introspection</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<unset token="NOOP_2"></unset>
</progress>
<done>
<set token="NOOP_2">noop</set>
</done>
</search>
<option name="count">2</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<row>
<panel depends="$NOOP_2$">
<title>run this panel third</title>
<table>
<search>
<query>index=_audit</query>
<earliest>$time.earliest$</earliest>
<latest>$time.latest$</latest>
<progress>
<unset token="NOOP_3"></unset>
</progress>
<done>
<set token="NOOP_3">noop</set>
</done>
</search>
<option name="count">2</option>
<option name="drilldown">none</option>
</table>
</panel>
</row>
<!--row>
<panel depends="$NOOP_3$">
<title>This panel shows execution time of search by search_id</title>
<input type="multiselect" token="sid">
<label>sid</label>
<fieldForLabel>search_id</fieldForLabel>
<fieldForValue>search_id</fieldForValue>
<search>
<query>index=_audit source=*audittrail* host=* action=search info=completed search_id!=*scheduler* search_id!=*SummaryDirector* earliest=-2m@m | convert ctime(exec_time) as exec_time_human | table search_id exec_time_human exec_time _time | dedup search_id | table search_id</query>
<earliest>-15m</earliest>
<latest>now</latest>
<refresh>30s</refresh>
</search>
<delimiter> OR search_id=</delimiter>
</input>
<table>
<search>
<query>index=_audit source=*audittrail* host=* action=search info=completed search_id=$sid$ earliest=-2m@m | convert ctime(exec_time) as exec_time_human | table search_id exec_time_human exec_time _time</query>
<earliest>-5m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row-->
</form>
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
