Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timing and how Splunk handles Scheduled Searches

rmorlen
Splunk Employee
Splunk Employee
‎12-27-2011 11:26 AM

We are trying to optimize the performance of our Splunk environment.

How does Splunk handle the following:

A scheduled search is scheduled to run every minute. It takes 20 minutes for the scheduled search to complete. Do 19 other searches get queued? Does Splunk ignore any additional runs of the search until the current search completes? Does Splunk not reschedule the next search until the current one completes?

I figure the person should inspect the search and then schedule it based on how long it takes to run. We are addressing that.

Thanks,
Randy

0 Karma
Reply

rmorlen
Splunk Employee
Splunk Employee
‎12-28-2011 10:35 AM

Yeah. We looked and didn't change anything. Basically we are working on some queries that report on the scheduled searches and report how long they are taking to run. We can then (manually) compare those with the frequency of their schedule and then give feedback to the owner of the scheduled search.

Thanks.

0 Karma
Reply

rmorlen
Splunk Employee
Splunk Employee
‎12-28-2011 08:21 AM

Thanks. That does help. Basically need to tweak savedsearches.conf.

0 Karma
Reply

rtadams89
Contributor
‎12-28-2011 09:29 AM

Or you may not. gkanapathy explained the default settings, which are generally what you want. Consider carefully what you are changing, as changing realtime_schedule could result in a massive bog-down.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎12-27-2011 10:35 PM

This is controlled by the setting realtime_schedule in savedsearches.conf, and can be set so that a particular search behaves the way you choose. If you create a search through the GUI, the non-summary searches are set with this enabled, which means that some instances of the search may be skipped if previous ones have not completed. If you create summary searches in the GUI, then this is disabled, which means that all scheduled executions will be queued up.

Reply

joy76
Path Finder
‎04-22-2013 03:27 AM

Hi, gkanapathy.
I am just wondering...
What do you mean by "you create summary searches in the GUI" and
"you create a search through the GUI" ?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...