Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is a long-running scheduled search running multiple times over a short time period?

esalesapns2
Path Finder
‎10-30-2019 07:14 AM

Splunk Enterprise, v7.0.3

I ran the search in https://answers.splunk.com/answers/750097/search-performance-impact-how-to-find-user-deployi.html

I see the exact same alert running 9 times in a 5-minute period that eats 130 to 165 data.pct_cpu each time.

It's an Alert private to a user scheduled to run at 8:00. It ran 9 different times from 9:23 to 9:28 am, according to the search.

Is it a bug in the search due to the way "stats latest(data.pct_cpu) is used that makes the "_time" off?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...