Alert setup best practice to avoid max concurrent ...

pdantuuri0411 · ‎07-20-2020

Hi, We are trying to set up around 60 alerts. Ideally, Each alert is set up to run every 3 minutes and check the data for the last 3 minutes. I am aware of the issue with concurrent searches and alerts getting skipped when there are more than 5 concurrent searches.

What is the best way to create these alerts?

Is there a way to set up the alerts to run between minutes like below example?

Example -

Alert 1 - 12:00:00

Alert 2 - 12:00:05

Alert 3 - 12:00:10

Alert 4 - 12:00:15

anilchaithu · ‎07-20-2020

@pdantuuri0411

Its possible to distribute the search jobs either by using one of the below techniques

schedule_priority (use this for better results)
search window

you have to configure it through searches, reports & alerts -> Edit -> Advanced Edit

OR

add below attributes to the concerned stanza in savedsearches.conf

schedule_priority = [default | higher | highest]
schedule_window = <unsigned integer> | auto

https://docs.splunk.com/Documentation/Splunk/8.0.5/Alert/AlertSchedulingBestPractices

Hope this helps

Alert setup best practice to avoid max concurrent searches

indexer

monitoring console

scheduler activity

search performance

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation