Solved: Re: How can I determine the lag between when an ap...

nnmiller · ‎07-29-2016

Our scheduled searches seem to be lagging behind. I need a search to identify the delay between the scheduled time and the actual run time.

nnmiller · ‎07-29-2016

index=_internal (host=) sourcetype=scheduler app= scheduled_time=* 
| eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") | eval delay_in_start = (dispatch_time - scheduled_time) 
| eval scheduled_time=strftime(scheduled_time,"%Y-%m-%d %H:%M:%S") 
| eval dispatch_time=strftime(dispatch_time,"%Y-%m-%d %H:%M:%S") 
| table savedsearch_name,delay_in_start, scheduled_time, dispatch_time, time, run_time, status

Replace search_head_hostname with your search head name or IP address, replace app with the name of an app or remove it for all scheduled searches.

Hat tip: A very clueful customer

View solution in original post

nnmiller · ‎07-29-2016

index=_internal (host=) sourcetype=scheduler app= scheduled_time=* 
| eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") | eval delay_in_start = (dispatch_time - scheduled_time) 
| eval scheduled_time=strftime(scheduled_time,"%Y-%m-%d %H:%M:%S") 
| eval dispatch_time=strftime(dispatch_time,"%Y-%m-%d %H:%M:%S") 
| table savedsearch_name,delay_in_start, scheduled_time, dispatch_time, time, run_time, status

Replace search_head_hostname with your search head name or IP address, replace app with the name of an app or remove it for all scheduled searches.

Hat tip: A very clueful customer

RicoSuave · ‎08-17-2016

OHS MAIS GAWDS! IS EXACTLIES GUATS I GUAS LEWKANS FOUR! JEW HLEPS ME FIINDS THESE LAGERS IN MAI ENVIRONMENTS!

How can I determine the lag between when an app's scheduled search is supposed to run and when it actually runs?

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting