I'm not sure what the default 0 option means for the Schedule Window option.
It allows splunk to shift the actual execution of that search forward in time a bit (keeping the effective timepicker value unshifted) so that Splunk can rearrange/reorder multiple scheduled searches slightly so that they don't all happen at the same time. Unless I have reason to be strict, I always set it to Auto
for every scheduled search. The higher percentage of saved searches use this, the more even your resource usage will be (less spikey).
A follow up at What time frame does the auto for Schedule Window cover?
It allows splunk to shift the actual execution of that search forward in time a bit (keeping the effective timepicker value unshifted) so that Splunk can rearrange/reorder multiple scheduled searches slightly so that they don't all happen at the same time. Unless I have reason to be strict, I always set it to Auto
for every scheduled search. The higher percentage of saved searches use this, the more even your resource usage will be (less spikey).
Very interesting @woodcock.
Thank you for the answers and the information. Is there a way to change the default of 0
to Auto
? meaning, that Auto
will be presented as the default and not 0
...
You can add this schedule_window = auto
to the savedsearches.conf under $SPLUNK_HOME/etc/users/local. But please read these points before doing that:
* Defaults to 0 for searches that are owned by users with the
edit_search_schedule_window capability. For such searches, this value can be
changed.
* Defaults to "auto" for searches that are owned by users that do not have the
edit_search_window capability. For such searches, this setting cannot be
changed.
More info is available in savedsearches.conf.spec file under schedule options
section.
Great information @nittala_surya.
It specifies that "window" of time (in minutes) a search may start within. For example, let's say you scheduled your alert to run at 9:00 AM with a schedule window of 2 (minutes), the scheduler will keep 2 minute window open for the alert to run. Meaning, if scheduler is busy at 9:00 AM, it will still try to run your alert at 9:01 AM or 9:02 AM.
From docs:
schedule_window = <unsigned int> | auto
* When schedule_window is non-zero, it indicates to the scheduler that the
search does not require a precise start time. This gives the scheduler
greater flexibility when it prioritizes searches.
* When schedule_window is set to an integer greater than 0, it specifies the
"window" of time (in minutes) a search may start within.
+ The schedule_window must be shorter than the period of the search.
+ Schedule windows are not recommended for searches that run every minute.
* When set to 0, there is no schedule window. The scheduler starts the search
as close to its scheduled time as possible.
* When set to "auto," the scheduler calculates the schedule_window value
automatically.
+ For more information about this calculation, see the search scheduler
documentation.
* Defaults to 0 for searches that are owned by users with the
edit_search_schedule_window capability. For such searches, this value can be
changed.
* Defaults to "auto" for searches that are owned by users that do not have the
edit_search_window capability. For such searches, this setting cannot be
changed.
* A non-zero schedule_window is mutually exclusive with a non-default
schedule_priority (see schedule_priority for details).
You probably want to check the great talk by Paul Lucas about the Splunk scheduler at last year's Splunk conference.
http://conf.splunk.com/sessions/2017-sessions.html#search=scheduler
There are slides and a recording to listen to. There is explanation about the window and other features too.
What version are you running?
@skoelpin - it's 7.0.1.