Splunk Search

How to display dashboard when all searches done loading?

denzelchung
Path Finder

I have a base query in my dashboard with multiple other queries that make use of the base query.

In my base query, I have the following evaluation when the search is done.

<search id="master">
  ...
  <done>
    <eval token="lastUpdated">strftime(now(),"%d/%m/%Y, %I:%M %p")</eval>
  </done>
</search>

<search base="master" id="firstApp">
  ...
  <done>
     <set token="app_A">$result.App$</set>
     <set token="status_A">$result.Status$</set>
   </done>
</search>

...

<search base="master" id="lastApp">
  ...
  <done>
     <set token="app_Z">$result.App$</set>
     <set token="status_Z">$result.Status$</set>
     <set token="done">true</set>
   </done>
</search>

In the last search, I set a token called "done" to be true. It currently works, but I am not sure if the searches will be run in order. Even if they run in order, is it guaranteed that the searches will finish evaluating in order and that all my tokens (app_A, ..., app_Z, status_A, ..., status_Z) are properly set?

I want to have a token to indicate that all searches are done. How can I do so?

I want this token so that in my JavaScript, I can do the following:

tokens.on("change:done", function(model, value) {
  updateDisplay(tokens);
});
Tags (3)
0 Karma
1 Solution

harshpatel
Contributor

Hi @denzelchung,

I think what you should do instead is have a separate token for each search.

For understanding:

Let's say search1 sets token1 to true when it is done executing so and so for search2 and search3. And also after setting these tokens on search:done you also check for a condition that will set your token done if and only if each token for each search is set. The condition can be like if token1=true and token2=true and token3=true then set token done.

This condition should be there for each search so whichever search is executed last will have this condition satisfy to true and will set your token done.

For your reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/PanelreferenceforSimplifiedXML#condition_.28f...

Cheers,
Harsh

View solution in original post

harshpatel
Contributor

Hi @denzelchung,

I think what you should do instead is have a separate token for each search.

For understanding:

Let's say search1 sets token1 to true when it is done executing so and so for search2 and search3. And also after setting these tokens on search:done you also check for a condition that will set your token done if and only if each token for each search is set. The condition can be like if token1=true and token2=true and token3=true then set token done.

This condition should be there for each search so whichever search is executed last will have this condition satisfy to true and will set your token done.

For your reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/PanelreferenceforSimplifiedXML#condition_.28f...

Cheers,
Harsh

denzelchung
Path Finder

Am I right to say that you're suggesting the following method:

<search id="master">
  ...
  <done>
    <eval token="lastUpdated">strftime(now(),"%d/%m/%Y, %I:%M %p")</eval>
  </done>
</search>

<search base="master" id="firstApp">
  <query>
    ...
    | eval done=if($token1$=true and $token2$=true and ..., 1, 0)
  </query>
  <done>
     <set token="app_A">$result.App$</set>
     <set token="status_A">$result.Status$</set>
     <set token="token1">true</set>
   </done>
</search>

...

<search base="master" id="lastApp">
  <query>
    ...
    | eval done=if($token1$=true and $token2$=true and ..., 1, 0)
  </query>
  <done>
     <set token="app_Z">$result.App$</set>
     <set token="status_Z">$result.Status$</set>
     <set token="token26">true</set>
   </done>
</search>
0 Karma

harshpatel
Contributor

Yes, It will help to make sure all searches are finished.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...