https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238846#M188733 <P>Glad to help! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 17 Aug 2016 16:20:24 GMT horsefez 2016-08-17T16:20:24Z https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238841#M188728 <P>Hi,</P> <P>I have a scheduled search that runs every 1 minute and it searches events on last 1 minute.</P> <P>Will this search cover all future events?<BR /> If the search could start (for example) at 5:07:05 and than at 5:08:07 - are the data from (5:07:05 - 5:07:07) lost?</P> Wed, 17 Aug 2016 12:42:29 GMT https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238841#M188728 lukasz92 2016-08-17T12:42:29Z https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238842#M188729 <P>What are you trying to accomplish with your scheduled search? Do you have an alert tied to this scheduled search?</P> <P>You set the time window for 1 minute, so technically the data is not "lost", but the data is not available in your 1 minute window if it's older than 1 minute</P> Wed, 17 Aug 2016 12:51:47 GMT https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238842#M188729 skoelpin 2016-08-17T12:51:47Z https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238843#M188730 <P>Hi lukasz92, </P> <P>there is a solution to your problem.</P> <P>Try to apply the following settings to your alert</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1743i2AEE97D9EF7E2D43/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>This will asure, that everything from 02:46:00 to 02:47:00 is covered. The alert is able to run between 02:47:00 and 02:47:59 and will still catch the data.</P> <HR /> <P><STRONG>BUT</STRONG>, splunk takes time to index data... so data that reaches the machine on 02:46:59 might not be indexed by 02:47:00... so you should try to make like a little "window" for your alert to run in... do that in the Cron-Expression field.</P> Wed, 17 Aug 2016 12:53:11 GMT https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238843#M188730 horsefez 2016-08-17T12:53:11Z https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238844#M188731 <P>Yes, Something like searching for custom events and alerting. </P> <P>Technically I agree and understand - my question was about practice: how this does actually work.</P> Wed, 17 Aug 2016 13:28:07 GMT https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238844#M188731 lukasz92 2016-08-17T13:28:07Z https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238845#M188732 <P>it is a great solution. I have not thought about "@m".<BR /> Thanks!</P> Wed, 17 Aug 2016 13:30:23 GMT https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238845#M188732 lukasz92 2016-08-17T13:30:23Z https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238846#M188733 <P>Glad to help! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 17 Aug 2016 16:20:24 GMT https://community.splunk.com/t5/Splunk-Search/How-scheduling-works/m-p/238846#M188733 horsefez 2016-08-17T16:20:24Z