https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442876#M21219 <P>We reach situations in which application teams set their alerts at the top of the hour and when we (the Splunk team) catch it, it might be too late.</P> <P>Is there a way to produce a report which lists the run times and detect excessive usage times? </P> Thu, 20 Dec 2018 17:02:13 GMT ddrillic 2018-12-20T17:02:13Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442876#M21219 <P>We reach situations in which application teams set their alerts at the top of the hour and when we (the Splunk team) catch it, it might be too late.</P> <P>Is there a way to produce a report which lists the run times and detect excessive usage times? </P> Thu, 20 Dec 2018 17:02:13 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442876#M21219 ddrillic 2018-12-20T17:02:13Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442877#M21220 <P>Yeah, you can use the internal index for this. You should explicitly add savedsearch_name for this </P> <PRE><CODE>index=_internal savedsearch_name=* | timechart max(run_time) AS run_time by savedsearch_name </CODE></PRE> Thu, 20 Dec 2018 19:00:15 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442877#M21220 skoelpin 2018-12-20T19:00:15Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442878#M21221 <P>Thank you @skoelpin.</P> <P>I changed the <CODE>max</CODE> to <CODE>sum</CODE> and we can see - </P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6278i28C68C170BBC2442/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>We can see that at each quarter of the hour we have peak usage. <BR /> Can we find out from <CODE>_internal</CODE> how many searches were skipped?</P> Thu, 20 Dec 2018 21:41:19 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442878#M21221 ddrillic 2018-12-20T21:41:19Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442879#M21222 <P>Yes, you sure can! </P> <PRE><CODE>index=_internal sourcetype=scheduled status=skipped NOT "_ACCELERATE*" | timechart count by savedsearch_name </CODE></PRE> Thu, 20 Dec 2018 21:46:43 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442879#M21222 skoelpin 2018-12-20T21:46:43Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442880#M21223 <P>Just ran -</P> <PRE><CODE>index=_internal sourcetype=scheduler status=skipped NOT "_ACCELERATE*" | timechart count </CODE></PRE> <P>It shows -</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6279i52561860455BD0F3/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 20 Dec 2018 21:56:28 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442880#M21223 ddrillic 2018-12-20T21:56:28Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442881#M21224 <P>The totals for an hour are -</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6280i43B4D73AABACEF62/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 20 Dec 2018 21:57:35 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442881#M21224 ddrillic 2018-12-20T21:57:35Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442882#M21225 <P>Yeah, you have a problem with skips at 4am. You should trend this over time by using <CODE>timewrap</CODE> to see if there's a pattern. Most likely, other searches are competing for resources and they run long and cause skips. You can fix this by changing search priroty away from 0 to auto. </P> <P>You can split by <CODE>savedsearch_name</CODE> or get a total over a span of time by adding <CODE>span=1h</CODE>. We use this search to alert us and cut a ticket when we start skipping. Skips are unacceptable for us</P> Thu, 20 Dec 2018 22:09:02 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442882#M21225 skoelpin 2018-12-20T22:09:02Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442883#M21226 <P>Much appreciated @skoelpin.</P> Fri, 21 Dec 2018 20:39:31 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-detect-excessive-overlapping-alerts/m-p/442883#M21226 ddrillic 2018-12-21T20:39:31Z