Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display dashboard when all searches done loading?

denzelchung
Path Finder
‎06-18-2019 09:05 PM

I have a base query in my dashboard with multiple other queries that make use of the base query.

In my base query, I have the following evaluation when the search is done.

<search id="master">
  ...
  <done>
    <eval token="lastUpdated">strftime(now(),"%d/%m/%Y, %I:%M %p")</eval>
  </done>
</search>

<search base="master" id="firstApp">
  ...
  <done>
     <set token="app_A">$result.App$</set>
     <set token="status_A">$result.Status$</set>
   </done>
</search>

...

<search base="master" id="lastApp">
  ...
  <done>
     <set token="app_Z">$result.App$</set>
     <set token="status_Z">$result.Status$</set>
     <set token="done">true</set>
   </done>
</search>

In the last search, I set a token called "done" to be true. It currently works, but I am not sure if the searches will be run in order. Even if they run in order, is it guaranteed that the searches will finish evaluating in order and that all my tokens (app_A, ..., app_Z, status_A, ..., status_Z) are properly set?

I want to have a token to indicate that all searches are done. How can I do so?

I want this token so that in my JavaScript, I can do the following:

tokens.on("change:done", function(model, value) {
  updateDisplay(tokens);
});
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

harshpatel
Contributor
‎06-18-2019 10:39 PM

Hi @denzelchung,

I think what you should do instead is have a separate token for each search.

For understanding:

Let's say search1 sets token1 to true when it is done executing so and so for search2 and search3. And also after setting these tokens on search:done you also check for a condition that will set your token done if and only if each token for each search is set. The condition can be like if token1=true and token2=true and token3=true then set token done.

This condition should be there for each search so whichever search is executed last will have this condition satisfy to true and will set your token done.

For your reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/PanelreferenceforSimplifiedXML#condition_.28f...

Cheers,
Harsh

View solution in original post

Reply
Solved! Jump to solution
Solution

harshpatel
Contributor
‎06-18-2019 10:39 PM

Hi @denzelchung,

I think what you should do instead is have a separate token for each search.

For understanding:

Let's say search1 sets token1 to true when it is done executing so and so for search2 and search3. And also after setting these tokens on search:done you also check for a condition that will set your token done if and only if each token for each search is set. The condition can be like if token1=true and token2=true and token3=true then set token done.

This condition should be there for each search so whichever search is executed last will have this condition satisfy to true and will set your token done.

For your reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Viz/PanelreferenceforSimplifiedXML#condition_.28f...

Cheers,
Harsh

Reply
Solved! Jump to solution

denzelchung
Path Finder
‎06-18-2019 10:57 PM

Am I right to say that you're suggesting the following method:

<search id="master">
  ...
  <done>
    <eval token="lastUpdated">strftime(now(),"%d/%m/%Y, %I:%M %p")</eval>
  </done>
</search>

<search base="master" id="firstApp">
  <query>
    ...
    | eval done=if($token1$=true and $token2$=true and ..., 1, 0)
  </query>
  <done>
     <set token="app_A">$result.App$</set>
     <set token="status_A">$result.Status$</set>
     <set token="token1">true</set>
   </done>
</search>

...

<search base="master" id="lastApp">
  <query>
    ...
    | eval done=if($token1$=true and $token2$=true and ..., 1, 0)
  </query>
  <done>
     <set token="app_Z">$result.App$</set>
     <set token="status_Z">$result.Status$</set>
     <set token="token26">true</set>
   </done>
</search>
0 Karma
Reply
Solved! Jump to solution

harshpatel
Contributor
‎06-19-2019 12:10 AM

Yes, It will help to make sure all searches are finished.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...