guilhemmarchand
commented
3 years ago Hi @bdcrandall !
Thanks for opening this issue.
Right, so my bad these sentences in the FAQ are outdated, I indeed see it too:
For reference:
Short term trackers run every 5 minutes, earliest=-4h latest=+4h
Long term trackers run once per hour, earliest=-7d latest=+4hThis is not correct, but the app itself is correct, the short term runs at:
dispatch.earliest_time = -4h
dispatch.latest_time = +4hThe long term runs at:
dispatch.earliest_time = -24h
dispatch.latest_time = -4hThis to do such that the long term does not look at sources which are to be handled by the short term, which in addition does:
| where data_last_time_seen<relative_time(now(), "-4h-5m")\The full code for context:
[TrackMe - hosts availability long term tracker]
cron_schedule = 1 * * * *
description = This scheduled report tracks and updates the data source availability KVstore based lookup
dispatch.earliest_time = -24h
dispatch.latest_time = -4h
enableSched = 1
request.ui_dispatch_app = trackme
request.ui_dispatch_view = trackme
dispatch.ttl = 900 # 15m ttl for this artefact
search = | savedsearch "TrackMe - Data hosts abstract root tracker"\
\
`comment("#### collects latest collection state into the summary index ####")`\
| `trackme_collect_state("current_state_tracking:data_host", "data_host")`\
\
| where data_last_time_seen<relative_time(now(), "-4h-5m")\
`comment("#### output flipping change status if changes ####")`\
| `trackme_get_flip(data_host_state, data_previous_host_state, data_host, trackme_audit_flip_temp_data_host)`\
| `trackme_outputlookup(trackme_host_monitoring, key)`\
| stats cSo, in therory, the long term should not be handling a data source that is handled by the short term at all (because it is in the scope of the short term only and excluded de facto)
I've not been warmed about any issue on this side (and there's a lot of active deployment) nor in the several PROD deployment I am seing right now, so if there's a thing there must an explanation I'll be happy to get with you.
Can we:
-
Identify a few data sources, which you suspects would be affected by an issue
-
To do this, you can refer to the summary data:
index="trackme_summary" source="current_state_tracking:data_source"You will note that there is a field named search_name which corresponds to the name of the tracker, so you can identify if a same data source was handled by both trackers and what were the statuses rendered via the summary data at this point in time.
Technically, if a data source is reported by the long term, this should be because its data was out of the window of the short term.
I would suspect this might have to see with some TZ related settings, given that the relative time commands in SPL are linked to the user context too, but that's just an idea potentially.
First let's get facts and we can start from there
bdcrandall
Describe the bug The dispatch.latest_time in the long term tracker searches in savedsearches.conf is incorrect. The FAQ says it should be +4h for both searches but it is set to -4h by default.
Splunk version and deployment:
Additional context The way this manifests in my environment is that I have a bunch of data sources that flip red at 1 minute past the hour and then go back green at 5 minutes past the hour. It doesn't happen every hour but it happens enough that email alerting is basically worthless.