Alerting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk cron vs scheduler

marceloalejandr
Path Finder
‎03-26-2021 08:43 AM

Greeting Splunkers, 

I'm researching an issue with Splunk scheduled reports and I came across the .conf2017 material "Making the Most of the Splunk Scheduler" (see attached snippet of page 10 of the material).    The issue we're seeing is some scheduled jobs are not returning results but when the same SPL that's in the job is run real-time there are results.    The jobs are scheduled as a cron within the Splunk UI Schedule "Run on Cron Schedule".    I came cross the .conf2017 material and maybe found an issue or concern related to the issue.  

Can anyone please clarify a couple things: 

- the material mentions that Cron is "Limited to a single machine".   What does this mean and how does Splunk determine which machine/server to utilize?   

- we schedule most of jobs as Cron because it has a little more flexibility with the time to set the start time.  I also came across the limits.conf and authorized.conf documentation and found that all of the Splunk settings are still set to the default.   In further researching the issue, it seems there are approximately 30 jobs starting or running at 0400 when the job in question is not returning results.    So the other question is, are we hitting a system limit and can Splunk be optimized or tweaked to support more jobs and/or is the system limit causing the report to return no results?   If Splunk can be optimized/tweaked which parameters or settings needs to be changed?   

Any thoughts?   Thanks in advance for any help and insight.    Cheers!

Labels (1)
Labels
Preview file
100 KB
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-26-2021 09:44 AM

I'm not sure anything on the left side of page 10 was ever true.  Jobs scheduled with cron syntax are subject to the quotas as other scheduled searches, can use schedule window and skew, and are scheduled across a SHC.

It's possible the job did not return results because it was skipped.  Splunk should have logged the skip - search for index=_internal sourcetype=Scheduler status=skipped.

Thirty jobs is too many to run at once on fewer than 60 SH CPUs. Re-distribute the search schedules for a more even run count.  The MC can help with that as can the dashboard at https://github.com/dpaper-splunk/public/blob/master/dashboards/extended_search_reporting.xml

---
If this reply helps you, Karma would be appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...