Splunk Search

How to display dashboard when all searches done loading?

Path Finder

I have a base query in my dashboard with multiple other queries that make use of the base query.

In my base query, I have the following evaluation when the search is done.

<search id="master">
  ...
  <done>
    <eval token="lastUpdated">strftime(now(),"%d/%m/%Y, %I:%M %p")</eval>
  </done>
</search>

<search base="master" id="firstApp">
  ...
  <done>
     <set token="app_A">$result.App$</set>
     <set token="status_A">$result.Status$</set>
   </done>
</search>

...

<search base="master" id="lastApp">
  ...
  <done>
     <set token="app_Z">$result.App$</set>
     <set token="status_Z">$result.Status$</set>
     <set token="done">true</set>
   </done>
</search>

In the last search, I set a token called "done" to be true. It currently works, but I am not sure if the searches will be run in order. Even if they run in order, is it guaranteed that the searches will finish evaluating in order and that all my tokens (appA, ..., appZ, statusA, ..., statusZ) are properly set?

I want to have a token to indicate that all searches are done. How can I do so?

I want this token so that in my JavaScript, I can do the following:

tokens.on("change:done", function(model, value) {
  updateDisplay(tokens);
});
Tags (3)
0 Karma
1 Solution

Contributor

Hi @denzelchung,

I think what you should do instead is have a separate token for each search.

For understanding:

Let's say search1 sets token1 to true when it is done executing so and so for search2 and search3. And also after setting these tokens on search:done you also check for a condition that will set your token done if and only if each token for each search is set. The condition can be like if token1=true and token2=true and token3=true then set token done.

This condition should be there for each search so whichever search is executed last will have this condition satisfy to true and will set your token done.

For your reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/PanelreferenceforSimplifiedXML#condition_.28f...

Cheers,
Harsh

View solution in original post

Contributor

Hi @denzelchung,

I think what you should do instead is have a separate token for each search.

For understanding:

Let's say search1 sets token1 to true when it is done executing so and so for search2 and search3. And also after setting these tokens on search:done you also check for a condition that will set your token done if and only if each token for each search is set. The condition can be like if token1=true and token2=true and token3=true then set token done.

This condition should be there for each search so whichever search is executed last will have this condition satisfy to true and will set your token done.

For your reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/PanelreferenceforSimplifiedXML#condition_.28f...

Cheers,
Harsh

View solution in original post

Path Finder

Am I right to say that you're suggesting the following method:

<search id="master">
  ...
  <done>
    <eval token="lastUpdated">strftime(now(),"%d/%m/%Y, %I:%M %p")</eval>
  </done>
</search>

<search base="master" id="firstApp">
  <query>
    ...
    | eval done=if($token1$=true and $token2$=true and ..., 1, 0)
  </query>
  <done>
     <set token="app_A">$result.App$</set>
     <set token="status_A">$result.Status$</set>
     <set token="token1">true</set>
   </done>
</search>

...

<search base="master" id="lastApp">
  <query>
    ...
    | eval done=if($token1$=true and $token2$=true and ..., 1, 0)
  </query>
  <done>
     <set token="app_Z">$result.App$</set>
     <set token="status_Z">$result.Status$</set>
     <set token="token26">true</set>
   </done>
</search>
0 Karma

Contributor

Yes, It will help to make sure all searches are finished.

0 Karma