Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are scheduled searches not running at their proper times with cron schedules in Splunk 6.1.1?

ebastos
Explorer
‎08-07-2015 09:37 AM

Hello!

I'm running Splunk Enterprise 6.1.1 and a user reported that his scheduled jobs are not executed at their proper times.
I confirmed this information and here is an example.

Scheduled for 5 past midnight

But the job actually ran at 3AM:

Executed at 3AM

Same user has a job scheduled to run at 10 past midnight and it executed at 2AM. Another job scheduled for 5 past midnight executed just fine.
I tried looking at the internal Splunk logs and tried to find any obvious errors with
bin/splunk cmd btool --debug savedsearches list
but no luck so far.

I would appreciate any advice on this matter, please.

Regards,

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎11-25-2015 09:59 AM

Did you ever figure out what was happening here?

0 Karma
Reply

somesoni2
Revered Legend
‎08-07-2015 10:17 AM

Got a doubt here. The cron on the screenshot is scheduled for "5 past midnight (oo:05 AM)" and executes at 3 AM (INCORRECT Scheduling) and the text below says a job scheduled for "10 past midnight (00:10 AM)" executed at 2 AM (INCORRECT Scheduling) and another job scheduled for "5 past midnight (oo:05 AM)" ran fine (CORRECT Schedule). Is that correct?

0 Karma
Reply

ebastos
Explorer
‎08-07-2015 10:35 AM

Sorry, let me clarify:

The user has multiple jobs. All scheduled around midnight (between 00:05 and 00:20).
Some of them run exactly on schedule. Some run at 2AM and some run at 3AM.

And I don't mean it's scheduled for 00:05 and run at 03:05 (three hours off). I mean 3AM on the dot, which makes no sense for me.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-07-2015 09:53 AM

The problem is that the scheduled job runs AS A USER (the user that saved it). Each user has a Timezone setting inside his profile under My User Name -> Edit account -> Timezone. When you say "3AM", you are actually saying "3AM as interpreted by this user's Timezone setting", which in your case, is 3 hours different than you think it should be.

0 Karma
Reply

ebastos
Explorer
‎08-07-2015 10:39 AM

Thanks. I just checked that and the user has the correct time zone. I also compared with another user which I know by fact that has a working job and they matched.

Also a problem with the time zone would cause a full 2 or 3 hours mismatch, but as you can see on the screenshots the job is scheduled for 5 minutes past midnight and actually ran at 3AM on the dot.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-07-2015 11:20 AM

Based on your pictures, I thought we were talking about a 3-hour (and 5 minutes) difference. Your pictures don't match your text.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...