Reporting

Timing and how Splunk handles Scheduled Searches

rmorlen
Splunk Employee
Splunk Employee

We are trying to optimize the performance of our Splunk environment.

How does Splunk handle the following:

A scheduled search is scheduled to run every minute. It takes 20 minutes for the scheduled search to complete. Do 19 other searches get queued? Does Splunk ignore any additional runs of the search until the current search completes? Does Splunk not reschedule the next search until the current one completes?

I figure the person should inspect the search and then schedule it based on how long it takes to run. We are addressing that.

Thanks,
Randy

0 Karma

rmorlen
Splunk Employee
Splunk Employee

Yeah. We looked and didn't change anything. Basically we are working on some queries that report on the scheduled searches and report how long they are taking to run. We can then (manually) compare those with the frequency of their schedule and then give feedback to the owner of the scheduled search.

Thanks.

0 Karma

rmorlen
Splunk Employee
Splunk Employee

Thanks. That does help. Basically need to tweak savedsearches.conf.

0 Karma

rtadams89
Contributor

Or you may not. gkanapathy explained the default settings, which are generally what you want. Consider carefully what you are changing, as changing realtime_schedule could result in a massive bog-down.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

This is controlled by the setting realtime_schedule in savedsearches.conf, and can be set so that a particular search behaves the way you choose. If you create a search through the GUI, the non-summary searches are set with this enabled, which means that some instances of the search may be skipped if previous ones have not completed. If you create summary searches in the GUI, then this is disabled, which means that all scheduled executions will be queued up.

joy76
Path Finder

Hi, gkanapathy.
I am just wondering...
What do you mean by "you create summary searches in the GUI" and
"you create a search through the GUI" ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...