Reporting

Is there a way to specify the Splunk search Schedule Window defaults?

jeffreyjewitt
Explorer

We have a distributed environment, and a lot of people have searches set to run every 15 minutes. This is leading to a huge spike in searches every 15 minutes. Is there a way to specify the Schedule Window to default to auto or 5 minutes, and allow overrides manually as needed?

https://docs.splunk.com/Documentation/Splunk/6.5.2/Report/PrioritizescheduledreportsinSplunkWeb mentioned the possibility of auto, but I haven't seen that option in Splunk Web. I haven't seen anything that says that you can set a default option for that setting.

Thank you for any information you can provide.

Thanks
-Jeff

0 Karma
1 Solution

ChrisG
Splunk Employee
Splunk Employee

Oh, sorry, I completely misread your question! Must. Slow. Down.

The default schedule window is auto if the role has the edit_search_schedule_window priority. Do you have a role you can customize for these users? They will also need the schedule_searches capability.

View solution in original post

0 Karma

mikaelbje
Motivator

I guess you could edit $SPLUNK_HOME/etc/system/local/savedsearches.conf and add:

schedule_window = auto

Just make sure your existing searches that need a specific setting of 0, 1 etc have that set already. All searches you add after this change should now have auto set by default.

You will need to teach your users that auto is a bad setting in certain situations.

rbal_splunk
Splunk Employee
Splunk Employee

Refer - https://conf.splunk.com/session/2015/conf2015_PLucas_Splunk_SplunkEntWhatsNew_MakingTheMostOf.pdf

Thsi document discussed Schedule search window.

Give a schedule window to searches that don’t have to run at specific time
Example
For a given search, it’s OK if it starts running someHme between midnight and 6am, but you don't really care when specifically A search with a window helps other searches Search windows should not be used for searches that run every minute Search windows must be less than a search’s period

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Oh, sorry, I completely misread your question! Must. Slow. Down.

The default schedule window is auto if the role has the edit_search_schedule_window priority. Do you have a role you can customize for these users? They will also need the schedule_searches capability.

0 Karma

jeffreyjewitt
Explorer

Hi Chris:
The users role already has schedule_searches and edit_search_schedule_window.
If I'm understanding things, then this means that with a Search Window of 0, then searches should be set to auto by default. Is there any way to tell whether a scheduled search is using/having its start time modified by a search window?
Thanks
-Jeff

0 Karma

mattness
Splunk Employee
Splunk Employee

If you want definitive proof that a schedule window is being applied to a search, inspect scheduler.log and see if a window_time field is associated with the search.

The true test, of course, is whether the schedule window is effective. You should only apply it to searches that seem to be causing other searches to skip their scheduled runs. If you apply it to a scheduled search and find that the skip frequency for the other searches decreases, that is a good indication that the window is doing its job.

jeffreyjewitt
Explorer

Thank you very much, both of you!

0 Karma

ChrisG
Splunk Employee
Splunk Employee

FYI, mattness has updated the documentation topic to include this information now.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

You can set the default time range for ad-hoc searches across all apps using Settings > Server Settings > Search Preferences or user-prefs.conf. See Change default values in the Admin Manual.

0 Karma

jeffreyjewitt
Explorer

I'm more looking for the Schedule Window for scheduled searches. Ad hoc searches already have a lot of settings that are pushed to users.
Thanks for your response though.
-Jeff

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...