Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How scheduling works?

lukasz92
Communicator
‎08-17-2016 05:42 AM

Hi,

I have a scheduled search that runs every 1 minute and it searches events on last 1 minute.

Will this search cover all future events?
If the search could start (for example) at 5:07:05 and than at 5:08:07 - are the data from (5:07:05 - 5:07:07) lost?

Reply
1 Solution
Solved! Jump to solution
Solution

horsefez
Motivator
‎08-17-2016 05:53 AM

Hi lukasz92,

there is a solution to your problem.

Try to apply the following settings to your alert

alt text

This will asure, that everything from 02:46:00 to 02:47:00 is covered. The alert is able to run between 02:47:00 and 02:47:59 and will still catch the data.

BUT, splunk takes time to index data... so data that reaches the machine on 02:46:59 might not be indexed by 02:47:00... so you should try to make like a little "window" for your alert to run in... do that in the Cron-Expression field.

View solution in original post

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution
Solution

horsefez
Motivator
‎08-17-2016 05:53 AM

Hi lukasz92,

there is a solution to your problem.

Try to apply the following settings to your alert

alt text

This will asure, that everything from 02:46:00 to 02:47:00 is covered. The alert is able to run between 02:47:00 and 02:47:59 and will still catch the data.

BUT, splunk takes time to index data... so data that reaches the machine on 02:46:59 might not be indexed by 02:47:00... so you should try to make like a little "window" for your alert to run in... do that in the Cron-Expression field.

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

lukasz92
Communicator
‎08-17-2016 06:30 AM

it is a great solution. I have not thought about "@m".
Thanks!

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎08-17-2016 09:20 AM

Glad to help! 🙂

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎08-17-2016 05:51 AM

What are you trying to accomplish with your scheduled search? Do you have an alert tied to this scheduled search?

You set the time window for 1 minute, so technically the data is not "lost", but the data is not available in your 1 minute window if it's older than 1 minute

0 Karma
Reply
Solved! Jump to solution

lukasz92
Communicator
‎08-17-2016 06:28 AM

Yes, Something like searching for custom events and alerting.

Technically I agree and understand - my question was about practice: how this does actually work.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...