Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are scheduled searches not running at their proper times with cron schedules in Splunk 6.1.1?

ebastos
Explorer
‎08-07-2015 09:37 AM

Hello!

I'm running Splunk Enterprise 6.1.1 and a user reported that his scheduled jobs are not executed at their proper times.
I confirmed this information and here is an example.

Scheduled for 5 past midnight

But the job actually ran at 3AM:

Executed at 3AM

Same user has a job scheduled to run at 10 past midnight and it executed at 2AM. Another job scheduled for 5 past midnight executed just fine.
I tried looking at the internal Splunk logs and tried to find any obvious errors with
bin/splunk cmd btool --debug savedsearches list
but no luck so far.

I would appreciate any advice on this matter, please.

Regards,

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎11-25-2015 09:59 AM

Did you ever figure out what was happening here?

0 Karma
Reply

somesoni2
Revered Legend
‎08-07-2015 10:17 AM

Got a doubt here. The cron on the screenshot is scheduled for "5 past midnight (oo:05 AM)" and executes at 3 AM (INCORRECT Scheduling) and the text below says a job scheduled for "10 past midnight (00:10 AM)" executed at 2 AM (INCORRECT Scheduling) and another job scheduled for "5 past midnight (oo:05 AM)" ran fine (CORRECT Schedule). Is that correct?

0 Karma
Reply

ebastos
Explorer
‎08-07-2015 10:35 AM

Sorry, let me clarify:

The user has multiple jobs. All scheduled around midnight (between 00:05 and 00:20).
Some of them run exactly on schedule. Some run at 2AM and some run at 3AM.

And I don't mean it's scheduled for 00:05 and run at 03:05 (three hours off). I mean 3AM on the dot, which makes no sense for me.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-07-2015 09:53 AM

The problem is that the scheduled job runs AS A USER (the user that saved it). Each user has a Timezone setting inside his profile under My User Name -> Edit account -> Timezone. When you say "3AM", you are actually saying "3AM as interpreted by this user's Timezone setting", which in your case, is 3 hours different than you think it should be.

0 Karma
Reply

ebastos
Explorer
‎08-07-2015 10:39 AM

Thanks. I just checked that and the user has the correct time zone. I also compared with another user which I know by fact that has a working job and they matched.

Also a problem with the time zone would cause a full 2 or 3 hours mismatch, but as you can see on the screenshots the job is scheduled for 5 minutes past midnight and actually ran at 3AM on the dot.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-07-2015 11:20 AM

Based on your pictures, I thought we were talking about a 3-hour (and 5 minutes) difference. Your pictures don't match your text.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...