Solved: Can you help me figure out this gap in the alert s...

damucka · ‎02-01-2019

Hello,

I have an alert scheduled each minute.

Yesterday, I had a gap in scheduling between 16:15 and 16:51 and I am not able to find the reason for that:

There were no skipped "Anomaly Detection" alerts in this period:

Also, looking at the scheduler log, I am not getting any smarter; the two corresponding entries from 16:15 and the next from 16:51 are:

1/31/19
4:51:40.841 PM  
01-31-2019 16:51:40.841 +0100 INFO  SavedSplunker - savedsearch_id="nobody;mlbso;Anomaly Detection", search_type="scheduled", user="d046266", app="mlbso", savedsearch_name="Anomaly Detection", priority=default, status=success, digest_mode=1, scheduled_time=1548949620, window_time=0, dispatch_time=1548949886, run_time=13.882, result_count=0, alert_actions="", sid="scheduler__d046266__mlbso__RMD54eeec7fba2d5a846_at_1548949620_52", suppressed=0, thread_id="AlertNotifierWorker-0"
host =  mo-91aebdc20.mo.sap.corp source =   /opt/splunk/var/log/splunk/scheduler.log sourcetype =   scheduler
1/31/19
4:15:27.308 PM  
01-31-2019 16:15:27.308 +0100 INFO  SavedSplunker - savedsearch_id="nobody;mlbso;Anomaly Detection", search_type="scheduled", user="d046266", app="mlbso", savedsearch_name="Anomaly Detection", priority=default, status=success, digest_mode=1, scheduled_time=1548947580, window_time=0, dispatch_time=1548947720, run_time=6.333, result_count=0, alert_actions="", sid="scheduler__d046266__mlbso__RMD54eeec7fba2d5a846_at_1548947580_24969", suppressed=0, thread_id="AlertNotifierWorker-0"

Could you please help me analyze this issue?

Where would I look?

Kind regards,
Kamil

damucka · ‎02-04-2019

Hi,

The issue with the gap is clarified ... it was trivial, I asked the Splunk admin and he mentioned there would be some problems with the servers and they needed 10 min restart.

But anyway, perhaps you can help me with the second one I have, it is visible on the screenshot as well and this is a permanent lag of 2 mins between schedule time and dispatch time of this alert. This is actually not only for this alert but for many, not all though. Not sure where this can come from. There are no skipped alerts, at least not the "Anomaly Detection" ones, so I guess this is not the resource issue.
How would I configure the immediate dispatch of my alerts?
Especially for the "Anomaly Detection" one it cannot wait 2 minutes to alert.

Splunk Version:7.0.0
Splunk Build
c8a78efdd40f

Kind Regards,
Kamil

View solution in original post

damucka · ‎02-04-2019

Hi,

The issue with the gap is clarified ... it was trivial, I asked the Splunk admin and he mentioned there would be some problems with the servers and they needed 10 min restart.

But anyway, perhaps you can help me with the second one I have, it is visible on the screenshot as well and this is a permanent lag of 2 mins between schedule time and dispatch time of this alert. This is actually not only for this alert but for many, not all though. Not sure where this can come from. There are no skipped alerts, at least not the "Anomaly Detection" ones, so I guess this is not the resource issue.
How would I configure the immediate dispatch of my alerts?
Especially for the "Anomaly Detection" one it cannot wait 2 minutes to alert.

Splunk Version:7.0.0
Splunk Build
c8a78efdd40f

Kind Regards,
Kamil

woodcock · ‎02-12-2019

You should click Accept to close your question.

woodcock · ‎02-01-2019

What version of Splunk search head?

vishaltaneja070 · ‎02-01-2019

@damucka,

Check if any issue with splunkd service at that time. Check for internal logs at that time.

Can you help me figure out this gap in the alert scheduling?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes