Splunk Search

Is there a way to run a query only if two other search jobs finish first on the same dashboard?

Bags
Explorer

Hello.

I have two queries that will run and write to two files. Then my third query will read from the two files. Is there a way to force the third query to wait for those first queries to finish?

<form>
  <label>Post Release</label>
     <fieldset autorun="0" submitButton="true">
     <input type="time" token="time_before">
       <label>Time - Before</label>
       <default>
         <earliestTime>-4h</earliestTime>
         <latestTime>now</latestTime>
       </default>
     </input>
     <input type="text" token="excludedMessagesBefore">
          <label>Excluded Messages - Before</label>
          <default>NOT ("" OR "")</default>
     </input>
     <input type="time" token="time_after">
       <label>Time - After</label>
       <default>
         <earliestTime>-4h</earliestTime>
         <latestTime>now</latestTime>
       </default>
     </input>
     <input type="text" token="excludedMessagesAfter">
          <label>Excluded Messages - After</label>
          <default>NOT ("" OR "")</default>
     </input> 
     <input type="text" token="hidden">
       <label>vLEAVE THIS EMPTYv</label>
       <default/>
     </input> 
   </fieldset>  
  <row>
    <panel>
      <table>
        <title>$excludedMessagesBefore$</title>
        <search>
          <query>tag=icp_prod sourcetype=icp_stp_json level=error $excludedMessagesBefore$ | dedup message | sort - _time_ |  outputlookup message_lookup_ICP_prod_pre.csv | table _time, message</query>
          <earliest>1460210400</earliest>
          <latest>1460217600</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">20</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>$excludedMessagesAfter$</title>
        <search>
          <query>tag=icp_prod sourcetype=icp_stp_json level=error $excludedMessagesAfter$ | dedup message | sort - _time_ | outputlookup message_lookup_ICP_prod_post.csv | table _time, message</query>
          <earliest>1460217600</earliest>
          <latest>1460224800</latest>
        </search>
        <option name="wrap">undefined</option>
        <option name="rowNumbers">undefined</option>
        <option name="drilldown">row</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table>
        <title>FINAL</title>
        <search>
          <query>$hidden$ |set diff [|inputlookup message_lookup_ICP_prod_post.csv | eval messageSubstring = substr(message,1, 100) | table messageSubstring] [|inputlookup message_lookup_ICP_prod_pre.csv | eval messageSubstring = substr(message,1, 100) | table messageSubstring] | outputlookup message_lookup_ICP_prod_diff.csv | table messageSubstring</query>
          <earliest>1460210400</earliest>
          <latest>1460224800</latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="drilldown">cell</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">20</option>
      </table>
    </panel>
  </row>
</form>

Currently, what happens is the third query executes on the two files written by the previous time that this dashboard Submit button was pressed. So I am curious if there is a way on the same Splunk dashboard page for making the third query run after the first two, or be activated by its own Submit button?

0 Karma

krdo
Communicator

I did something similar using tokens and loadjob:

<form>
  <fieldset submitButton="true" autoRun="false">
    <input type="time" token="timeRange1">
      <label>Time Range 1</label>
      <default>
        <earliest>-2h</earliest>
        <latest>-1h</latest>
      </default>
    </input>
    <input type="time" token="timeRange2">
      <label>Time Range 2</label>
      <default>
        <earliest>-1h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Query 1</title>
      <table>
        <search>
          <query>index=_internal | stats count</query>
          <earliest>$timeRange1.earliest$</earliest>
          <latest>$timeRange1.latest$</latest>
          <!-- Store the sid once the search is done. -->
          <done>
            <set token="query1.sid">$job.sid$</set>
          </done>
        </search>
      </table>
    </panel>
    <panel>
      <title>Query 2</title>
      <table>
        <search>
          <query>index=_internal | stats count</query>
          <earliest>$timeRange2.earliest$</earliest>
          <latest>$timeRange2.latest$</latest>
          <!-- Store the sid once the search is done. -->
          <done>
            <set token="query2.sid">$job.sid$</set>
          </done>
        </search>
      </table>
    </panel>
  </row>
  <!-- Use <row depends="$query1.sid$,$query2.sid$"> if you want to hide the row until both tokens are set. -->
  <row>
    <panel>
      <title>Query 3 (Depends on Query 1 and Query 2)</title>
      <table>
        <search>
          <!-- Use loadjob to get access to the result of the two seraches. -->
          <query>
            | loadjob $query1.sid$ 
            | eval name="Count from Query1"
            | append [
              loadjob $query2.sid$
              | eval name="Count from Query2"
            ]</query>
          <earliest>$timeRange2.earliest$</earliest>
          <latest>$timeRange2.latest$</latest>
        </search>
      </table>
    </panel>
  </row>
</form>

This obviously does not write/read files (but this could be added if needed). Also the queries have been simplified as this is only an simple demo.

The trick is that you set a token once a base search (Query 1 & 2) finishes. In the child search (Query 3) you use those tokens to access the results of the base searches. As you use both tokens in the search query, splunk will wait until both are set before executing Query 3.

ryandg
Communicator

Unfortunately i have retracted my answer, it doesn't look like it is possible. I am trying to get it to work on my own side first.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...