Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timing and how Splunk handles Scheduled Searches

rmorlen
Splunk Employee
Splunk Employee
‎12-27-2011 11:26 AM

We are trying to optimize the performance of our Splunk environment.

How does Splunk handle the following:

A scheduled search is scheduled to run every minute. It takes 20 minutes for the scheduled search to complete. Do 19 other searches get queued? Does Splunk ignore any additional runs of the search until the current search completes? Does Splunk not reschedule the next search until the current one completes?

I figure the person should inspect the search and then schedule it based on how long it takes to run. We are addressing that.

Thanks,
Randy

0 Karma
Reply

rmorlen
Splunk Employee
Splunk Employee
‎12-28-2011 10:35 AM

Yeah. We looked and didn't change anything. Basically we are working on some queries that report on the scheduled searches and report how long they are taking to run. We can then (manually) compare those with the frequency of their schedule and then give feedback to the owner of the scheduled search.

Thanks.

0 Karma
Reply

rmorlen
Splunk Employee
Splunk Employee
‎12-28-2011 08:21 AM

Thanks. That does help. Basically need to tweak savedsearches.conf.

0 Karma
Reply

rtadams89
Contributor
‎12-28-2011 09:29 AM

Or you may not. gkanapathy explained the default settings, which are generally what you want. Consider carefully what you are changing, as changing realtime_schedule could result in a massive bog-down.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎12-27-2011 10:35 PM

This is controlled by the setting realtime_schedule in savedsearches.conf, and can be set so that a particular search behaves the way you choose. If you create a search through the GUI, the non-summary searches are set with this enabled, which means that some instances of the search may be skipped if previous ones have not completed. If you create summary searches in the GUI, then this is disabled, which means that all scheduled executions will be queued up.

Reply

joy76
Path Finder
‎04-22-2013 03:27 AM

Hi, gkanapathy.
I am just wondering...
What do you mean by "you create summary searches in the GUI" and
"you create a search through the GUI" ?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...