Reporting

Is there a way to specify the Splunk search Schedule Window defaults?

jeffreyjewitt
Explorer

We have a distributed environment, and a lot of people have searches set to run every 15 minutes. This is leading to a huge spike in searches every 15 minutes. Is there a way to specify the Schedule Window to default to auto or 5 minutes, and allow overrides manually as needed?

https://docs.splunk.com/Documentation/Splunk/6.5.2/Report/PrioritizescheduledreportsinSplunkWeb mentioned the possibility of auto, but I haven't seen that option in Splunk Web. I haven't seen anything that says that you can set a default option for that setting.

Thank you for any information you can provide.

Thanks
-Jeff

0 Karma
1 Solution

ChrisG
Splunk Employee
Splunk Employee

Oh, sorry, I completely misread your question! Must. Slow. Down.

The default schedule window is auto if the role has the edit_search_schedule_window priority. Do you have a role you can customize for these users? They will also need the schedule_searches capability.

View solution in original post

0 Karma

mikaelbje
Motivator

I guess you could edit $SPLUNK_HOME/etc/system/local/savedsearches.conf and add:

schedule_window = auto

Just make sure your existing searches that need a specific setting of 0, 1 etc have that set already. All searches you add after this change should now have auto set by default.

You will need to teach your users that auto is a bad setting in certain situations.

0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

Refer - https://conf.splunk.com/session/2015/conf2015_PLucas_Splunk_SplunkEntWhatsNew_MakingTheMostOf.pdf

Thsi document discussed Schedule search window.

Give a schedule window to searches that don’t have to run at specific time
Example
For a given search, it’s OK if it starts running someHme between midnight and 6am, but you don't really care when specifically A search with a window helps other searches Search windows should not be used for searches that run every minute Search windows must be less than a search’s period

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Oh, sorry, I completely misread your question! Must. Slow. Down.

The default schedule window is auto if the role has the edit_search_schedule_window priority. Do you have a role you can customize for these users? They will also need the schedule_searches capability.

View solution in original post

0 Karma

jeffreyjewitt
Explorer

Hi Chris:
The users role already has schedule_searches and edit_search_schedule_window.
If I'm understanding things, then this means that with a Search Window of 0, then searches should be set to auto by default. Is there any way to tell whether a scheduled search is using/having its start time modified by a search window?
Thanks
-Jeff

0 Karma

mattness
Splunk Employee
Splunk Employee

If you want definitive proof that a schedule window is being applied to a search, inspect scheduler.log and see if a window_time field is associated with the search.

The true test, of course, is whether the schedule window is effective. You should only apply it to searches that seem to be causing other searches to skip their scheduled runs. If you apply it to a scheduled search and find that the skip frequency for the other searches decreases, that is a good indication that the window is doing its job.

jeffreyjewitt
Explorer

Thank you very much, both of you!

0 Karma

ChrisG
Splunk Employee
Splunk Employee

FYI, mattness has updated the documentation topic to include this information now.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

You can set the default time range for ad-hoc searches across all apps using Settings > Server Settings > Search Preferences or user-prefs.conf. See Change default values in the Admin Manual.

0 Karma

jeffreyjewitt
Explorer

I'm more looking for the Schedule Window for scheduled searches. Ad hoc searches already have a lot of settings that are pushed to users.
Thanks for your response though.
-Jeff

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!