Search Schedule Window option not there

dkoops · ‎03-15-2016

Hi all,

I have a 6.3.0 enterprise clustered installation with several alerts running with 5min intervals. Most of the time this works fine but now and then they miss a run due to concurrent search restrictions. I'm aware setting a search window can help with this, but it seems that option is gone (or has never been there for this specific cluster). It has been implemented for 6.3.0 if i'm correct (?)

I did quite some customization on the .conf files, might it be that some options turn this off?

sduff_splunk · ‎01-28-2018

You should be able to access the schedule_window parameter by going into Advanced Edit for the search/alert.
If you still cannot see it, make sure the user has the schedule_search and edit_search_schedule_window capabilities.

reedmohn · ‎09-05-2017

I have users who "lost" that setting. It is visible when creating the report / alert. but it seems that they cannot change it when later editing the report or alert from the search app.

But it is visible for them if you open the search from "Settings->Searches, reports and alerts".

I've registered a support case to find out why.

Search Schedule Window option not there

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability