Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I flatten the search dispatching curve?

danielbb
Motivator
‎08-19-2020 12:32 PM

We have lots of scheduled searches at the top of the hour. How should we go about distributing them across the hour? We have also scheduled searches running every 5 or 10 minutes and it's difficult to come with a direction on that.

0 Karma
Reply

Nisha18789
Builder
‎08-19-2020 03:48 PM

Hi @danielbb , you can use cron schedule to distribute searches across an hour .

Also, try distributing some of the searches which runs every 5 mins  to every 4 or 6 mins, so that the searches are not confined at multiple of 5 minutes of an hour( ex- :00, :05, :10 etc)

for ex- schedule some to run every 4 min using cron : */4 * * * *

some to run every 5 min using cron : */5 * * * *

some to run every 6 min using cron : */6 * * * *

and so on.. This will avoid queuing of searches and distribute the search load throughout an hour.

Hope this helps!

 

 

Reply

danielbb
Motivator
‎08-20-2020 06:57 AM

That's a great idea to get out of the mode of every 5 or 10 minutes.

0 Karma
Reply

Nisha18789
Builder
‎08-20-2020 07:05 AM

Thanks @danielbb , please mark my response as solution if it answers your query.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-19-2020 02:01 PM

Could you please be more specific about the ask?  Changing the schedule of a search is just a matter of editing the savedsearches.conf file (and restarting Splunk) or selecting "Edit Schedule" from the Searches, reports, and alerts page.

What is the difficulty with 5-minute searches?

---
If this reply helps you, Karma would be appreciated.
Reply

danielbb
Motivator
‎08-20-2020 07:02 AM

The difficultly is in administrating thousands of such scheduled searches, avoiding the permanence peaks at the top of the hour and lower ones at the 5, 10, 15, etc. minute per the hour.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...