Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I flatten the search dispatching curve?

danielbb
Motivator
‎08-19-2020 12:32 PM

We have lots of scheduled searches at the top of the hour. How should we go about distributing them across the hour? We have also scheduled searches running every 5 or 10 minutes and it's difficult to come with a direction on that.

0 Karma
Reply

Nisha18789
Builder
‎08-19-2020 03:48 PM

Hi @danielbb , you can use cron schedule to distribute searches across an hour .

Also, try distributing some of the searches which runs every 5 mins  to every 4 or 6 mins, so that the searches are not confined at multiple of 5 minutes of an hour( ex- :00, :05, :10 etc)

for ex- schedule some to run every 4 min using cron : */4 * * * *

some to run every 5 min using cron : */5 * * * *

some to run every 6 min using cron : */6 * * * *

and so on.. This will avoid queuing of searches and distribute the search load throughout an hour.

Hope this helps!

 

 

Reply

danielbb
Motivator
‎08-20-2020 06:57 AM

That's a great idea to get out of the mode of every 5 or 10 minutes.

0 Karma
Reply

Nisha18789
Builder
‎08-20-2020 07:05 AM

Thanks @danielbb , please mark my response as solution if it answers your query.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-19-2020 02:01 PM

Could you please be more specific about the ask?  Changing the schedule of a search is just a matter of editing the savedsearches.conf file (and restarting Splunk) or selecting "Edit Schedule" from the Searches, reports, and alerts page.

What is the difficulty with 5-minute searches?

---
If this reply helps you, Karma would be appreciated.
Reply

danielbb
Motivator
‎08-20-2020 07:02 AM

The difficultly is in administrating thousands of such scheduled searches, avoiding the permanence peaks at the top of the hour and lower ones at the 5, 10, 15, etc. minute per the hour.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...