How can I flatten the search dispatching curve?

danielbb · ‎08-19-2020

We have lots of scheduled searches at the top of the hour. How should we go about distributing them across the hour? We have also scheduled searches running every 5 or 10 minutes and it's difficult to come with a direction on that.

Nisha18789 · ‎08-19-2020

Hi @danielbb , you can use cron schedule to distribute searches across an hour .

Also, try distributing some of the searches which runs every 5 mins to every 4 or 6 mins, so that the searches are not confined at multiple of 5 minutes of an hour( ex- :00, :05, :10 etc)

for ex- schedule some to run every 4 min using cron : */4 * * * *

some to run every 5 min using cron : */5 * * * *

some to run every 6 min using cron : */6 * * * *

and so on.. This will avoid queuing of searches and distribute the search load throughout an hour.

Hope this helps!

danielbb · ‎08-20-2020

That's a great idea to get out of the mode of every 5 or 10 minutes.

Nisha18789 · ‎08-20-2020

Thanks @danielbb , please mark my response as solution if it answers your query.

richgalloway · ‎08-19-2020

Could you please be more specific about the ask? Changing the schedule of a search is just a matter of editing the savedsearches.conf file (and restarting Splunk) or selecting "Edit Schedule" from the Searches, reports, and alerts page.

What is the difficulty with 5-minute searches?

---
If this reply helps you, Karma would be appreciated.

danielbb · ‎08-20-2020

The difficultly is in administrating thousands of such scheduled searches, avoiding the permanence peaks at the top of the hour and lower ones at the 5, 10, 15, etc. minute per the hour.

How can I flatten the search dispatching curve?

other

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability