There are new fields in 6.3 for alerts called "Earliest" and "Latest" on the "Edit Alert Type and Trigger Condition" dialog in Splunk. I suspect these have to do with a feature called "Scheduling windows" that I've seen in a Splunk slidedeck.
The issue is the documentation on these fields is not very clear.
Could you please describe exactly how these work and what they do? By the name, they sound as if this is the earliest the job may be scheduled onto a CPU by the scheduler. If this is the case, wouldn't we always want Earliest to be +1 or +2 minutes? What is the relative time relative to (there are several choices here)? How does the scheduled job pick the parameters for the query (I'm thinking/hoping earliest and latest have nothing to do with this)?
Thanks
↧