We have a distributed environment, and a lot of people have searches set to run every 15 minutes. This is leading to a huge spike in searches every 15 minutes. Is there a way to specify the Schedule Window to default to auto or 5 minutes, and allow overrides manually as needed?
https://docs.splunk.com/Documentation/Splunk/6.5.2/Report/PrioritizescheduledreportsinSplunkWeb mentioned the possibility of auto, but I haven't seen that option in Splunk Web. I haven't seen anything that says that you can set a default option for that setting.
Thank you for any information you can provide.
Thanks
-Jeff
Oh, sorry, I completely misread your question! Must. Slow. Down.
The default schedule window is auto if the role has the edit_search_schedule_window
priority. Do you have a role you can customize for these users? They will also need the schedule_searches
capability.
I guess you could edit $SPLUNK_HOME/etc/system/local/savedsearches.conf and add:
schedule_window = auto
Just make sure your existing searches that need a specific setting of 0, 1 etc have that set already. All searches you add after this change should now have auto set by default.
You will need to teach your users that auto is a bad setting in certain situations.
Refer - https://conf.splunk.com/session/2015/conf2015_PLucas_Splunk_SplunkEntWhatsNew_MakingTheMostOf.pdf
Thsi document discussed Schedule search window.
Give a schedule window to searches that don’t have to run at specific time
Example
For a given search, it’s OK if it starts running someHme between midnight and 6am, but you don't really care when specifically A search with a window helps other searches Search windows should not be used for searches that run every minute Search windows must be less than a search’s period
Oh, sorry, I completely misread your question! Must. Slow. Down.
The default schedule window is auto if the role has the edit_search_schedule_window
priority. Do you have a role you can customize for these users? They will also need the schedule_searches
capability.
Hi Chris:
The users role already has schedule_searches and edit_search_schedule_window.
If I'm understanding things, then this means that with a Search Window of 0, then searches should be set to auto by default. Is there any way to tell whether a scheduled search is using/having its start time modified by a search window?
Thanks
-Jeff
If you want definitive proof that a schedule window is being applied to a search, inspect scheduler.log
and see if a window_time
field is associated with the search.
The true test, of course, is whether the schedule window is effective. You should only apply it to searches that seem to be causing other searches to skip their scheduled runs. If you apply it to a scheduled search and find that the skip frequency for the other searches decreases, that is a good indication that the window is doing its job.
Thank you very much, both of you!
FYI, mattness has updated the documentation topic to include this information now.
You can set the default time range for ad-hoc searches across all apps using Settings > Server Settings > Search Preferences or user-prefs.conf
. See Change default values in the Admin Manual.
I'm more looking for the Schedule Window for scheduled searches. Ad hoc searches already have a lot of settings that are pushed to users.
Thanks for your response though.
-Jeff