Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why Splunk Cloud 6.2 cron scheduled jobs trigger at different times than expected?

chatterjb
Engager
‎12-17-2014 08:27 AM

I'm not exactly sure what happened in the update of 6.2 for splunk cloud, but for some reason all of our cron jobs are running off.

0 12,17 * * * this job is to run at 12 noon and 5 pm each day. It was working fine for a while, but after 12/12/14 it suddenly started coming in at 7AM and 12 noon. Was there an update to splunk's internal clock or to cron jobs?

Edit: So I was looking into all of the alerts/reports that I scheduled, it seems all of them shifted back 6 hours . . . So what once ran from 10-21 now runs from 4-15

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎12-17-2014 05:39 PM

Known bug in 6.2.0

SPL-92736 Scheduler ignores user/owner user_pref time zone setting for cron scheduled searches, runs cron scheduled search in relation to system time.

http://docs.splunk.com/Documentation/Splunk/6.2.0/ReleaseNotes/Knownissues#Search.2C_saved_search.2C...

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎12-17-2014 05:39 PM

Known bug in 6.2.0

SPL-92736 Scheduler ignores user/owner user_pref time zone setting for cron scheduled searches, runs cron scheduled search in relation to system time.

http://docs.splunk.com/Documentation/Splunk/6.2.0/ReleaseNotes/Knownissues#Search.2C_saved_search.2C...

Reply
Solved! Jump to solution

sc0tt
Builder
‎01-26-2015 12:36 AM

Is there any update on this? We've just upgraded to version Splunk 6.2 and all of our jobs are executing off schedule.

0 Karma
Reply
Solved! Jump to solution

chrisshazammerm
New Member
‎07-16-2015 03:20 AM

The SPL-92736 issue no longer exists in 6.2.2 (according to the documentation).

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-26-2015 09:27 AM

No updates, still a bug on 6.2.1, see http://docs.splunk.com/Documentation/Splunk/6.2.1/ReleaseNotes/KnownIssues#Search.2C_saved_search.2C...

Wait for the next patch version 6.2.2 to get the fix

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎12-17-2014 01:47 PM

This could be because of the zone the Splunk Cloud instance is in or set to. If the system is set to UTC and you are in Central Time Zone that would account for the 6 hour difference.

0 Karma
Reply
Solved! Jump to solution

chatterjb
Engager
‎12-17-2014 10:30 AM

@bmacia84 I don't have direct access to the splunk folder since it's the cloud version (or I don't know exactly how to get to it). But I did run this query index=_internal source=*scheduler.log to grab the records and it is showing that everything run as instructed just not at the right time. Also I would have expected to get double emails since I email on the scheduled task.

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎12-17-2014 09:16 AM

I would try using $SPUNK_HOME/bin/splunk cmd btool --debug savedsearches list. It possible that you have two saved searches running on different schedules outputting the data twice on two different intervals. The following command will output savedsearched stanza with what app running them

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...