Alerting

What does the Schedule Window option for an Alert mean?

ddrillic
Ultra Champion

I'm not sure what the default 0 option means for the Schedule Window option.

alt text

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

It allows splunk to shift the actual execution of that search forward in time a bit (keeping the effective timepicker value unshifted) so that Splunk can rearrange/reorder multiple scheduled searches slightly so that they don't all happen at the same time. Unless I have reason to be strict, I always set it to Auto for every scheduled search. The higher percentage of saved searches use this, the more even your resource usage will be (less spikey).

View solution in original post

ddrillic
Ultra Champion
0 Karma

ddrillic
Ultra Champion

It's interesting to see the following -

alt text

0 Karma

woodcock
Esteemed Legend

It allows splunk to shift the actual execution of that search forward in time a bit (keeping the effective timepicker value unshifted) so that Splunk can rearrange/reorder multiple scheduled searches slightly so that they don't all happen at the same time. Unless I have reason to be strict, I always set it to Auto for every scheduled search. The higher percentage of saved searches use this, the more even your resource usage will be (less spikey).

ddrillic
Ultra Champion

Very interesting @woodcock.

0 Karma

ddrillic
Ultra Champion

Thank you for the answers and the information. Is there a way to change the default of 0 to Auto? meaning, that Auto will be presented as the default and not 0 ...

0 Karma

sudosplunk
Motivator

You can add this schedule_window = auto to the savedsearches.conf under $SPLUNK_HOME/etc/users/local. But please read these points before doing that:

 * Defaults to 0 for searches that are owned by users with the
   edit_search_schedule_window capability. For such searches, this value can be
   changed.
 * Defaults to "auto" for searches that are owned by users that do not have the
   edit_search_window capability. For such searches, this setting cannot be
   changed.

More info is available in savedsearches.conf.spec file under schedule options section.

ddrillic
Ultra Champion

Great information @nittala_surya.

0 Karma

sudosplunk
Motivator

It specifies that "window" of time (in minutes) a search may start within. For example, let's say you scheduled your alert to run at 9:00 AM with a schedule window of 2 (minutes), the scheduler will keep 2 minute window open for the alert to run. Meaning, if scheduler is busy at 9:00 AM, it will still try to run your alert at 9:01 AM or 9:02 AM.

From docs:

schedule_window = <unsigned int> | auto
* When schedule_window is non-zero, it indicates to the scheduler that the
  search does not require a precise start time. This gives the scheduler
  greater flexibility when it prioritizes searches.
* When schedule_window is set to an integer greater than 0, it specifies the
  "window" of time (in minutes) a search may start within.
  + The schedule_window must be shorter than the period of the search.
  + Schedule windows are not recommended for searches that run every minute.
* When set to 0, there is no schedule window. The scheduler starts the search
  as close to its scheduled time as possible.
* When set to "auto," the scheduler calculates the schedule_window value
  automatically.
  + For more information about this calculation, see the search scheduler
    documentation.
* Defaults to 0 for searches that are owned by users with the
  edit_search_schedule_window capability. For such searches, this value can be
  changed.
* Defaults to "auto" for searches that are owned by users that do not have the
  edit_search_window capability. For such searches, this setting cannot be
  changed.
* A non-zero schedule_window is mutually exclusive with a non-default
  schedule_priority (see schedule_priority for details).

burwell
SplunkTrust
SplunkTrust

You probably want to check the great talk by Paul Lucas about the Splunk scheduler at last year's Splunk conference.

http://conf.splunk.com/sessions/2017-sessions.html#search=scheduler

There are slides and a recording to listen to. There is explanation about the window and other features too.

skoelpin
SplunkTrust
SplunkTrust

What version are you running?

0 Karma

ddrillic
Ultra Champion

@skoelpin - it's 7.0.1.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...