Hi, How can I add delay between two commands in Splunk.
I have a scenario,
1) where I will append the search results to existing lookup file,
2) in second step I need to retrieve complete results and perform lookup activities search results in this step
If I use in single query, I am worried that before exporting results to lookup file the second query may execute. SO thinking to add delay between to commands
Simply:
After using |outputlookup command to export results to file, I need to use lookup command to map latest results in file to specific search results. But worries if lookup command executes parallel with outputlookup command, Which will happed incomplete result mapping
Is it possible?
Hi ankithreddy777,
not sure if the question is still relevant, but as I had a similar issue ( I think) I will share my solution.
If I interpret your question correctly, you have something like:
search ... | processing ...
| outputlookup append=true file_1.csv
| append
[ inputlookup file_1.csv | lookup ... | processing and merging... ]
| final processing or outputlookup
If this is your szenario, then your first outputlookup will have the results of your initial search appended correctly, BUT the inputlookup file_1.csv in the append section is subsearch and will get parsed and dispatched before your outer search, so it will take the version of file_1.csv before the results from your search have been appended.
The append command appends the results of a subsearch to the current results.
To solve this, you can just replace append by appendpipe.
This appends the result of the subpipeline to the search results. Unlike a subsearch, the subpipeline is not run first. The subpipeline is run when the search reaches the appendpipe command.
Commands on a single query are executed in the sequence they appear in the SPL. The next processing step in the search is not started until the previous step has completed.
So, if you do somesearch | outputlookup blah | someothercommand that uses the lookup
, someothercommand will not start until the outputlookup has returned/completed.
Hi ssievert,
Thank you for the response. Does this apply to sub searches also.
I thought sub-search part of |append command executes parallel with main search. I am right?
Hi ankithreddy777,
could you share more details?
Bye.
Giuseppe