Scheduler

This topic provides a brief introduction to the scheduler and explains how to schedule commands. All NetWitness Core services come with a built-in scheduler found under /sys/config/scheduler . To use the scheduler, you add the command you want to run periodically using one of two messages:

/sys/config/scheduler addInter - Add a command to run at the specified interval (every N hours, minutes or seconds)

or

/sys/config/scheduler addMil - Add a command to run at the specified time of day or even specific days of the week

Example

For example, suppose that you have a use case to delete all packet data that is greater than seven days old. Since you cannot configure the packet.dir setting to rollout data based on a time interval, you need to schedule the /database timeRoll command to run every so often. For this example, create a timeRoll to run every 20 minutes:

				
addIter minutes=20 pathname=/database msg=timeRoll params="type=packet days=7"				
			

This command adds a scheduled task (it is persisted between restarts of the service) to run every 20 minutes, on the /database node, and ages out all packet data older than seven days. The params parameter is used to pass all the parameters to the command specified (in this case timeRoll ). Notice how it quotes all the embedded parameters ( type and days ) so they are not interpreted as parameters to be passed to the outer addIter command. If the parameters inside params need to use quotes, you must escape the inner quotes with a backslash. You can rewrite it with embedded quotes, which does not alter the command in any way:

				
addIter minutes="20" pathname="/database" msg="timeRoll" params="type=\"packet\" days=\"7\""				
			

This command works identically to the original, but demonstrates how to escape complicated parameter passing. Additional useful scheduler commands are:

/sys/config/scheduler print - Print all scheduled commands (you can also see them by doing an ls on the scheduler node).

/sys/config/scheduler delSched - Delete a scheduled command by passing in the identifier shown in the print (or ls ) command.

This is a brief introduction to the scheduler. For more information on command parameters, send the help message to the scheduler node and pass in the command name via the msg parameter. For more information, see the "Services Explore View" topic in the Host and Services Getting Started Guide .