How-To: Edit schedule and timestamp in scheduled searches

When editing the schedule and timestamp on which a scheduled search runs, there are some tips that you should consider in order not to miss events. These tips apply to scheduled searches where the schedule matches the time window, and where the scheduled search should cover all time intervals exactly once.

Edit the schedule and time window

If you want to change the Schedule and Time window properties of a scheduled search, you need to be careful when you do so:

  • If you want to change the scheduled search to run more often, you should make the change right after it has run. For example, if you want to change it from running every hour at minute 0, to every 15 minutes, you should do so after the run at say 13:00 has finished, but before 13:15 where the next run with the new schedule should run.

    If, for example, you do it at 13:40, the next run will be 13:45 searching 13:30-13:45, so you will miss events between 13:00 and 13:30.

    If the old schedule used H for the minute, you need to figure out what minute it actually ran, say minute 23, and then you need to set the new schedule to 8,23,38,53.

  • If you want to change the scheduled search to run less often, you should make the change right after a run that matches the new schedule has run. For example, if you want to change it from running every 15 minutes to every hour, you should do so after the run at say 13:00 has finished, but before 13:15 where the next run with the old schedule should run.

    If, for example, you do it at 13:40, the runs for 13:00-13:15 and 13:15-13:30 have already run, so when it runs with the new schedule at 14:00 it will search for 13:00-14:00 and thus duplicate events for 13:00-13:30.

    You should not use H for the minute in the new schedule, as you then cannot control when it actually runs, so you will either get duplicates or miss events when you change the schedule.

Change the timestamp

If you want to change the timestamp from @timestamp to @ingesttimestamp you should be aware of the following, especially if the Delay run property is not 0, as scheduled searches on @ingesttimestamp do not support a delayed run.

Delay run is 0

If Delay run is 0, you might notice that the scheduled search will begin to find more events than it did before. This is because events with a @timestamp near the end of the search interval could have an ingest delay, meaning that they would not be available in LogScale when the query ran. Otherwise, there is nothing else to be aware of.

Delay run is not 0, but smaller than the Time window

If the Delay run is not 0, but smaller than the Time window, you need to be careful with how you select the new schedule. If the schedule is hourly and the search runs at minute 0 and the delay is 20 minutes, then the run at 13:00 will search from 11:40-12:40. This means that after that run, before 13:40, you need to switch to running on @ingesttimestamp and run at minute 40, so that the next run will be at 13:40 running from 12:40 to 13:40.

If the minute is H, you need to do something similar to Delay run is 0 to change the schedule.

Delay run is not 0, and larger than or equal to the Time window

If the Delay run is larger than or equal to the Time window, it becomes difficult. Then you first need to switch to a larger Time window, so that the first run on @ingesttimestamp, which does not use the delay, can search back to the end of the search interval of the last run. Once that first run on @ingesttimestamp has finished, you can edit the scheduled search to run more often using Delay run is not 0, but smaller than the Time window from above to change the schedule.