"Scheduler.log" Alert Efficiencies & Field Meaning...

danielbarr · ‎07-18-2016

Hi,

I'm trying to determine the efficiency of alerts within Splunk. I was wondering if anyone knows which particular fields are the most valuable for this. Most likely look at the time taken for the search to run.

Here are the fields that I'm trying to determine the meaning of:

dispatch_time
result_count
run_time
savedsearch_id
savedsearch_name
scheduled_time
Status
Suppressed
window_time

I'd appreciate any help or guidance on this, thanks!

pradeepkumarg · ‎07-18-2016

dispatch_time - Time the search actually was dispatched/triggered

result_count - results returned by the search

run_time - Execution time of the search (Time taken to complete the search execution)

savedsearch_id - Owner,app and search name information

savedsearch_name - Name of the saved search

scheduled_time - The time when the search was supposed to be triggered

Status - Status of the particular run- Success.skipped etc..,

danielbarr · ‎07-18-2016

Thanks for the help. Just wondering what do these numbers actually mean, they're very large and don't seem accurate.

Here's some examples from real data:

Example 1:
window_time = 60
scheduled_time = 1468736160
dispatch_time = 1468736284
run_time = 114310.619

Example 2:
window_time = 0
scheduled_time = 1468850400
dispatch_time = 1468850581
run_time = 1.759

Example 3:
window_time = 900
scheduled_time = 1468850400
dispatch_time = 1468850572
run_time = 2.504

Thanks!

pradeepkumarg · ‎07-18-2016

the numbers represented are epoch(unix format) values of time. You can do as below to convert them to human readable time formats

| convert ctime(scheduled_time) as SCHEDULE | convert ctime(dispatch_time) as DISPATCH

"Scheduler.log" Alert Efficiencies & Field Meanings

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!