Archive

What does the Schedule Window option for an Alert mean?

Ultra Champion

I'm not sure what the default 0 option means for the Schedule Window option.

alt text

Tags (1)
0 Karma
1 Solution

Esteemed Legend

It allows splunk to shift the actual execution of that search forward in time a bit (keeping the effective timepicker value unshifted) so that Splunk can rearrange/reorder multiple scheduled searches slightly so that they don't all happen at the same time. Unless I have reason to be strict, I always set it to Auto for every scheduled search. The higher percentage of saved searches use this, the more even your resource usage will be (less spikey).

View solution in original post

Ultra Champion
0 Karma

Ultra Champion

It's interesting to see the following -

alt text

0 Karma

Esteemed Legend

It allows splunk to shift the actual execution of that search forward in time a bit (keeping the effective timepicker value unshifted) so that Splunk can rearrange/reorder multiple scheduled searches slightly so that they don't all happen at the same time. Unless I have reason to be strict, I always set it to Auto for every scheduled search. The higher percentage of saved searches use this, the more even your resource usage will be (less spikey).

View solution in original post

Ultra Champion

Very interesting @woodcock.

0 Karma

Ultra Champion

Thank you for the answers and the information. Is there a way to change the default of 0 to Auto? meaning, that Auto will be presented as the default and not 0 ...

0 Karma

Motivator

You can add this schedule_window = auto to the savedsearches.conf under $SPLUNK_HOME/etc/users/local. But please read these points before doing that:

 * Defaults to 0 for searches that are owned by users with the
   edit_search_schedule_window capability. For such searches, this value can be
   changed.
 * Defaults to "auto" for searches that are owned by users that do not have the
   edit_search_window capability. For such searches, this setting cannot be
   changed.

More info is available in savedsearches.conf.spec file under schedule options section.

Ultra Champion

Great information @nittala_surya.

0 Karma

Motivator

It specifies that "window" of time (in minutes) a search may start within. For example, let's say you scheduled your alert to run at 9:00 AM with a schedule window of 2 (minutes), the scheduler will keep 2 minute window open for the alert to run. Meaning, if scheduler is busy at 9:00 AM, it will still try to run your alert at 9:01 AM or 9:02 AM.

From docs:

schedule_window = <unsigned int> | auto
* When schedule_window is non-zero, it indicates to the scheduler that the
  search does not require a precise start time. This gives the scheduler
  greater flexibility when it prioritizes searches.
* When schedule_window is set to an integer greater than 0, it specifies the
  "window" of time (in minutes) a search may start within.
  + The schedule_window must be shorter than the period of the search.
  + Schedule windows are not recommended for searches that run every minute.
* When set to 0, there is no schedule window. The scheduler starts the search
  as close to its scheduled time as possible.
* When set to "auto," the scheduler calculates the schedule_window value
  automatically.
  + For more information about this calculation, see the search scheduler
    documentation.
* Defaults to 0 for searches that are owned by users with the
  edit_search_schedule_window capability. For such searches, this value can be
  changed.
* Defaults to "auto" for searches that are owned by users that do not have the
  edit_search_window capability. For such searches, this setting cannot be
  changed.
* A non-zero schedule_window is mutually exclusive with a non-default
  schedule_priority (see schedule_priority for details).

SplunkTrust
SplunkTrust

You probably want to check the great talk by Paul Lucas about the Splunk scheduler at last year's Splunk conference.

http://conf.splunk.com/sessions/2017-sessions.html#search=scheduler

There are slides and a recording to listen to. There is explanation about the window and other features too.

SplunkTrust
SplunkTrust

What version are you running?

0 Karma

Ultra Champion

@skoelpin - it's 7.0.1.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!