Covering all the events for potentially delayed Scheduled Queries in Panther

Last updated
Save as PDF

QUESTION

What would be the best practice to ensure that there will be no missed events if a Scheduled Query starts later than the scheduled start time? Let's suppose that I have a Scheduled Query that runs every hour to look back for events over the past hour. For example, the first search is supposed to happen at 4 pm and account for the events between 3-4 pm. What happens if the search starts 5 minutes later, at 4:05 pm? How do I account for the events that occurred between 4 pm and 4:05 pm?

ANSWER

Overlapping the Scheduled Queries could help with this scenario.

The section Data latency and timing considerations contains some relevant details regarding this approach.

Let's assume that you schedule every hour (60m) and for safety, you want to "look back" (90m). In that case, you can use p_occurs_since('90 minutes'). Kindly note that you should always use p_occurs_since in your Scheduled Queries, as indicated in the Notes of the Examples section.

In addition, the article How do I resolve a "behind schedule" System Error for scheduled query in Panther? contains some useful information that explains why delays related to queries might happen.