Re: Can we pause a scheduled search for 30 seconds...

Srubhi · ‎04-25-2023

I need to know how we can pause the search for 30 seconds and then run the saved search
for example, i have a search scheduled at 9:30:00 my requirement is that the search should pause for 30 seconds and run at 9:30:30 seconds.

It would be more helpful if anyone help me in resolving this!!

happy Splunking!!

PickleRick · ‎04-25-2023

No. There is no "pause" command.

Also please remember that just because the schedule says "9:30:00", it does not mean that the search will be run at that particular point in time. Scheduling and spawning the search usually takes some time even on a lightly-loaded infrastructure. And if you have delayed/skipped searches - don't even get me started 😉

There is also a question of what time you understand as "starting the search" - dispatching the search to a SHC member? Initializing the search on that member? Pushing the search request to the indexers?

So don't rely on the "start search" time. If you want your search to return results from a particular time range, specify it in the time specifier (oh boy, this sounds bad :-)) and adjust your search schedule accordingly.

In other words, if you want your search to always return data from X:30:30 to X+1:30:30, schedule your search to - for example

35 * * * *

and set

earliest=-1h@h+30m+30s latest=@h+30m+30s

Can we pause a scheduled search for 30 seconds??

search job inspector

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update