Solved: How does a Schedule Saved Search work?

sranga · ‎05-05-2010

Hi

I have a question about the workings of the scheduled saved search. Suppose I have a slow-running search that has been scheduled to run every day. The time-range for this search is All-Time. Does the search run over the "all-time" period for every consecutive run after a successful previous run? Or is it smart enough to run only for the delta of the elapsed time between the last successful run and the present time?

Thanks for your input.

Ranga

mctester · ‎05-06-2010

No, scheduled searches are not that smart. It will run over 'All Time' every time it runs, that is the time-range that you have originally configured.

I realise that this is only an example, but in general, 'all time' searches are very resource intensive and scheduled searches should be optimized as much as possible. If you want to run a search every 24 hours, then you only need to search the last 24 hours - starthoursago=24 - similarly, if you're running an hourly search, you'll want to specify something like starthoursago=1

View solution in original post

mctester · ‎05-06-2010

No, scheduled searches are not that smart. It will run over 'All Time' every time it runs, that is the time-range that you have originally configured.

I realise that this is only an example, but in general, 'all time' searches are very resource intensive and scheduled searches should be optimized as much as possible. If you want to run a search every 24 hours, then you only need to search the last 24 hours - starthoursago=24 - similarly, if you're running an hourly search, you'll want to specify something like starthoursago=1

How does a Schedule Saved Search work?

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Tech Talk | One Log to Rule Them All