Reputation: 59
Staggering cron alerts in Splunk?
After nearly doubling the amount of scheduled (cron) alerts in my Splunk environment, I'm starting to see some performance issues.
The alerts run every five minutes, and look at the previous five minute's worth of data.
earliest = -5m@m
latest = now
cron expression: */5 * * * *
It has been recommended to me to stagger the scheduled alerts so that, for example, some are running at 12:01, others run at 12:02, others run at 12:03, etc.
Is this possible? I'm having difficulty finding an options in the 'edit alert' page to further fine tune the cron schedule so that I can set an actual start time.
Also, the advice I got is perplexing, because I added the alerts manually; I would assume they would already be staggered because of the fact that I didn’t wait until exactly 12:00 or 12:05 to hit the submit button when creating each alert. Is that an incorrect assumption?
Upvotes: 0
Views: 642
Answers (1)
Reputation: 3188
yes, Keefer, your assumption is incorrect
Splunk's cron scheduling uses nix cron, so nothing to do with the moment you press Submit
Your current expression means "run every minute 0,5,10,15,...."
These are the offsets you're looking for
1-59/5 * * * *
2-59/5 * * * *
....
Upvotes: 1
Related Questions
- Splunk Alert - setting severity based on duration of events
- Splunk Alert - setting different threshold during the day
- Getting alert from SPlunk every 30 min even if cron_schedule is 15 min
- Splunk: schedule an alert with two different frequencies (without overlapping)
- Alerting in splunk for different thresholds
- Splunk Alert Creation
- Splunk: Throttling of alerts
- Splunk: Schedule alert to run every 10 minutes
- Setting up alerts for metrics in Splunk
- Splunk: setting up real time alerts