On Scheduling Inspector’s main dashboard, users will quickly be able to identify any Scheduled Searches that have Wasteful Time Windows.
These searches have overlapping time windows that are searching the same data more than once. For instance, a search that is scheduled to run every 15 minutes but looks at the past 60 minutes of data will search the same bucket of events multiple times, wasting CPU resources and search slots. By keeping these searches in check, an environment can stay fast and efficient.
After identifying a search with a possible wasteful time window, users can investigate further by selecting the Magnifying Glass to open the search on a new tab. This is useful for investigating if there were other reasons why this search didn’t meet best practices.
Once confirmed as a viable target for fixing, users can select the wrench icon for a modal that will enable them to automatically tune their search to meet best practices.
Selecting ‘Apply’ will update the Time Window of the Search to fix any overlaps based on the Scheduled Search cadence. This change will be saved on the local files of the corresponding application.
It is recommended to not use this tool to change Enterprise Security searches or searches that result in an “outputlookup” command. It is beneficial to confirm the reasons for the search’s output and existence before updating the timespan.