Alerting

What does the Schedule Window option for an Alert mean?

ddrillic
Ultra Champion

I'm not sure what the default 0 option means for the Schedule Window option.

alt text

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

It allows splunk to shift the actual execution of that search forward in time a bit (keeping the effective timepicker value unshifted) so that Splunk can rearrange/reorder multiple scheduled searches slightly so that they don't all happen at the same time. Unless I have reason to be strict, I always set it to Auto for every scheduled search. The higher percentage of saved searches use this, the more even your resource usage will be (less spikey).

View solution in original post

ddrillic
Ultra Champion
0 Karma

ddrillic
Ultra Champion

It's interesting to see the following -

alt text

0 Karma

woodcock
Esteemed Legend

It allows splunk to shift the actual execution of that search forward in time a bit (keeping the effective timepicker value unshifted) so that Splunk can rearrange/reorder multiple scheduled searches slightly so that they don't all happen at the same time. Unless I have reason to be strict, I always set it to Auto for every scheduled search. The higher percentage of saved searches use this, the more even your resource usage will be (less spikey).

ddrillic
Ultra Champion

Very interesting @woodcock.

0 Karma

ddrillic
Ultra Champion

Thank you for the answers and the information. Is there a way to change the default of 0 to Auto? meaning, that Auto will be presented as the default and not 0 ...

0 Karma

sudosplunk
Motivator

You can add this schedule_window = auto to the savedsearches.conf under $SPLUNK_HOME/etc/users/local. But please read these points before doing that:

 * Defaults to 0 for searches that are owned by users with the
   edit_search_schedule_window capability. For such searches, this value can be
   changed.
 * Defaults to "auto" for searches that are owned by users that do not have the
   edit_search_window capability. For such searches, this setting cannot be
   changed.

More info is available in savedsearches.conf.spec file under schedule options section.

ddrillic
Ultra Champion

Great information @nittala_surya.

0 Karma

sudosplunk
Motivator

It specifies that "window" of time (in minutes) a search may start within. For example, let's say you scheduled your alert to run at 9:00 AM with a schedule window of 2 (minutes), the scheduler will keep 2 minute window open for the alert to run. Meaning, if scheduler is busy at 9:00 AM, it will still try to run your alert at 9:01 AM or 9:02 AM.

From docs:

schedule_window = <unsigned int> | auto
* When schedule_window is non-zero, it indicates to the scheduler that the
  search does not require a precise start time. This gives the scheduler
  greater flexibility when it prioritizes searches.
* When schedule_window is set to an integer greater than 0, it specifies the
  "window" of time (in minutes) a search may start within.
  + The schedule_window must be shorter than the period of the search.
  + Schedule windows are not recommended for searches that run every minute.
* When set to 0, there is no schedule window. The scheduler starts the search
  as close to its scheduled time as possible.
* When set to "auto," the scheduler calculates the schedule_window value
  automatically.
  + For more information about this calculation, see the search scheduler
    documentation.
* Defaults to 0 for searches that are owned by users with the
  edit_search_schedule_window capability. For such searches, this value can be
  changed.
* Defaults to "auto" for searches that are owned by users that do not have the
  edit_search_window capability. For such searches, this setting cannot be
  changed.
* A non-zero schedule_window is mutually exclusive with a non-default
  schedule_priority (see schedule_priority for details).

burwell
SplunkTrust
SplunkTrust

You probably want to check the great talk by Paul Lucas about the Splunk scheduler at last year's Splunk conference.

http://conf.splunk.com/sessions/2017-sessions.html#search=scheduler

There are slides and a recording to listen to. There is explanation about the window and other features too.

skoelpin
SplunkTrust
SplunkTrust

What version are you running?

0 Karma

ddrillic
Ultra Champion

@skoelpin - it's 7.0.1.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...