Scheduled search frequency limits

Scheduled search frequency limits let administrators control how often Splunk software runs saved searches for individual roles and trigger action types.

Splunk Cloud Platform lets you set a minimum interval between scheduled runs of a saved search for roles and trigger action types. Use scheduled search frequency limits to prevent aggressive search schedules that can cause resource contention, skipped searches, and overload of external services in large environments.

Note: This feature is available under Controlled Availability in Splunk Cloud Platform version 10.5. In the Controlled Availability release stage, Splunk products may have limitations on customer access, features, maturity, and regional availability. For additional information on Controlled Availability, contact your Splunk representative.

Set scheduled search frequency limits

Configure minimum schedule intervals for a role using the Resources tab in Splunk Web.

Configure minimum schedule intervals and cron expression restrictions for a role using the Resources tab in Splunk Web.

Set the minimum schedule interval

Set the minimum amount of time between scheduled runs for all saved searches assigned to the role. By default, no frequency limits apply to a role.

  1. In Splunk Web, select Settings, then select Roles.
  2. Select the role you want to configure, then select the Resources tab.
  3. Under Saved search schedule limits, set the Minimum schedule interval (minutes).

Scheduled search frequency limits do not apply to existing scheduled searches. Splunk software enforces limits only when a user creates or edits a scheduled search.

Set the minimum interval for a trigger action

You can set a separate minimum interval for searches that use a specific trigger action, such as an email alert. Trigger-specific limits are independent of a role's minimum schedule interval.

  1. Under Saved search schedule limits, select Add trigger-specific limit.
  2. Choose the trigger action you want to limit.
  3. Set the minimum schedule interval for that trigger action.

Allow or restrict complex cron schedules

The Allow complex cron schedules toggle controls whether users in a role can use complex cron expressions. Turn the toggle off to limit users to standard, skewable patterns.

  • On (default): all cron expressions are allowed.
  • Off: only standard cron expressions that support Splunk search schedule skew are allowed.

Complex cron expressions are not supported by Splunk search schedule skew and can circumvent the minimum schedule interval. For example, 0 9-17 * * 1-5 runs searches on weekdays between 9 a.m. and 5 p.m., a pattern Splunk search schedule skew cannot offset. For the list of standard skewable patterns, see Skew scheduled report start times.

Role inheritance and fallback behavior

Understand how frequency limits apply when a user holds multiple roles or when a trigger action has no explicit limit.

When a user holds more than one role, frequency limits use most-permissive semantics. When a trigger action has no explicit limit, it falls back to the role's baseline minimum schedule interval.

Role inheritance

When a user holds more than one role, the least restrictive limit applies. For example, if role_1 has a 10-minute interval and role_2 has no restriction, the user has no restriction.

This behavior follows the existing precedent for concurrency limits and supports patterns such as granting an administrative role to bypass restrictions.

Trigger action fallback

A trigger action without an explicit limit falls back to the role's minimum schedule interval. For example, if a role has a minimum schedule interval of 10 minutes and an email interval of 15 minutes, a search that uses a webhook or custom alert action is subject to the 10-minute minimum.

Splunk Web supports setting trigger-specific limits for the default alert action types. Custom alert actions are not configurable in the UI and inherit the minimum schedule interval.