I need help with the cron scheduling of my alert. It is:
0,30 * * * *
From which I would expect my alert to be triggered always at 0 and 30-th min of an hour.
Below are my triggering times (I test it the way that there is always a result returned, so the alert should always be triggered):
6:40 7:15 7:39 8:19 8:39 9:19 9:39 10:19 11:20 11:40
Any hint why this is and how would I reach my goal?
The alert search itself takes only couple of second and does not justify this kind of delays.
Could you please paste the cron notation in that case?
The following combination:
0 30 * * * *
Is not accepted by Splunk. Only the:
030 * * * *
But I guess it does not do what I want.
"Run on Schedule" --> "Cron expression" --> 0,30 * * * *
Each time I scan the time range of 7 days in the past with my search just to find something and trigger the alert. But as mentioned, the search itself is quite fast and should not lead to this kind of delays.
please check the sheduler log. There should be logs stating when the search run and how long it took, maybe its taking to long. index=_internal sourcetype=scheduler savedsearch_name=
I used the following search:
index=_internal sourcetype=scheduler savedsearch_name=BWP* savedsearch_name="BWP Parameter Changes" | convert ctime(scheduled_time) as SCHEDULE | convert ctime(dispatch_time) as DISPATCH | table _time SCHEDULE DISPATCH run_time
and there is a significant delay / difference between scheduled_time and dispatch_time. So i guess the scheduling works fine, but there is some issue with dispatching. What would be the common reasons
for that? Resource exhaustion?
I scheduled it now a bit different:
17,47 * * * *
to see if I get better results, assuming that many other searches get kicked off on the 0 and 30-th minute of an hour.
Could be that more than this search is scheduled for this time, since many users/apps schedule their search around this time.
Nice that we got to the botton of this 🙂
Please accept the answer 🙂