https://community.splunk.com/t5/Monitoring-Splunk/Co-relation-search/m-p/464355#M3903 <P>I have two co-relation search in ITSI which is scheduled to 15 minutes of windows, what is the appropriate scheduled should be set to avoid any performance issue in future.</P> Sat, 06 Jun 2020 01:07:06 GMT friend444 2020-06-06T01:07:06Z https://community.splunk.com/t5/Monitoring-Splunk/Co-relation-search/m-p/464355#M3903 <P>I have two co-relation search in ITSI which is scheduled to 15 minutes of windows, what is the appropriate scheduled should be set to avoid any performance issue in future.</P> Sat, 06 Jun 2020 01:07:06 GMT https://community.splunk.com/t5/Monitoring-Splunk/Co-relation-search/m-p/464355#M3903 friend444 2020-06-06T01:07:06Z https://community.splunk.com/t5/Monitoring-Splunk/Co-relation-search/m-p/464356#M3904 <P>There are no definitive answers, it depends on your search time, the server concurrency load, and the desired time to be notified of alerts or the frequency.</P> <P>Example : you run 2 correlation searches running every 15 minutes, looking back at 15 minutes.</P> <UL> <LI>If the searchest take 10 seconds to execute, then it will not count on your search concurrency as 2 jobs for 10 seconds every 15 min.</LI> <LI>If the searches take 20 minutes to run, then it will persistently count at 2 job concurrencies, plus every 15 min, you will have an overlap, and it will count at 4...</LI> </UL> <P>If you have an alert condition happening t=0, then the correlation search runs as t=10m, then it will take you 10 minutes to be get a notable alert created, and a few seconds to get grouped in an Episode and trigger an action. <BR /> Changing the frequency will help control the time before you are notified, it may vary based on the type of data you are monitoring,</P> Mon, 03 Feb 2020 22:47:24 GMT https://community.splunk.com/t5/Monitoring-Splunk/Co-relation-search/m-p/464356#M3904 yannK 2020-02-03T22:47:24Z