Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Staggering cron alerts?

kwkeefer
Explorer
‎05-09-2017 07:28 AM

After nearly doubling the amount of scheduled (cron) alerts in my Splunk environment, I'm starting to see some performance issues.

The alerts run every five minutes, and look at the previous five minute's worth of data. 

earliest = -5m@m 
latest = now
cron expression: */5 * * * *

It has been recommended to me to stagger the scheduled alerts so that, for example, some are running at 12:01, others run at 12:02, others run at 12:03, etc.

Is this possible? I'm having difficulty finding an options in the 'edit alert' page to further fine tune the cron schedule so that I can set an actual start time.

Also, the advice I got is perplexing, because I added the alerts manually; I would assume they would already be staggered because of the fact that I didn’t wait until exactly 12:00 or 12:05 to hit the submit button when creating each alert. Is that an incorrect assumption?

0 Karma
Reply

woodcock
Esteemed Legend
‎05-10-2017 09:17 AM

You should just set Schedule window to Auto and leave it at */5 and Splunk will do the staggering for you.

Reply

adonio
Ultra Champion
‎05-09-2017 07:44 AM

hello there,
first i will recommend that if you have the alert run every 5 minutes, let it search from 6 or 7 minutes ago until 1 or 2 minutes ago or go further 15 -10 minutes ago. that will give you better search performance then searching till time=now
here is how to manually edit cron to whichever expression you would like under the save alert popoup:

alt text

alt text

Preview file
60 KB
Preview file
74 KB
Reply

DalJeanis
Legend
‎05-09-2017 08:25 AM

Also, in answer to OPs question about staggering the times...

cron expression: 1/5 * * * * ... every 5 minutes starting at 1 minute after the hour

cron expression: 2/5 * * * * ... every 5 minutes starting at 2 minutes after the hour

cron expression: 3/5 * * * * ... every 5 minutes starting at 3 minutes after the hour

0 Karma
Reply

kwkeefer
Explorer
‎05-09-2017 08:43 AM

Would it be something like 

1/5* * * *

or just

1/5

Sorry - I am not very experienced at cron / splunk.

0 Karma
Reply

adonio
Ultra Champion
‎05-10-2017 06:45 AM

this tool explains it better then i do
https://crontab.guru/

0 Karma
Reply

kwkeefer
Explorer
‎05-10-2017 09:20 AM

Thank you.

0 Karma
Reply

kwkeefer
Explorer
‎05-09-2017 07:53 AM

First, thanks for your response.

You don't by chance know of any documentation that mentions why using the 'now' option is better for performance, do you? I saw in 'Alert scheduling tips' in the docs said that delaying the search will help ensure you capture all the results, but it doesn't mention performance. I'm curious to know more.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...