Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk ignores date time range after a few queries

enverb
New Member
‎06-12-2019 02:38 AM

I've been having this weird problem where Splunk suddenly starts to ignore the date-time ranges I enter after executing a few queries.

At first, I can search fine and changing the date time works perfectly. Then after X number of search queries, I suddenly get the message "Waiting for queued job to start. Manage jobs."

When I go to the jobs page, I can see the exact query that I entered but what I also notice is that the date time range says "[01/01/1970 00:00:00.000 to 01/01/1970 01:00:00.000]".

If I then go on and kill the job and change the date and time, I get the exact same problem; I can never seem to change the date range from "[01/01/1970 00:00:00.000 to 01/01/1970 01:00:00.000]" to the range I want.

Any ideas?

Tags (2)
0 Karma
Reply

tomy8s
Loves-to-Learn Lots
‎01-07-2021 08:40 AM

Did you ever get to the bottom of this?

We have a user who's experiencing the same problem. Whatever he seems to do, his searches are always queued with the date range set to "[01/01/1970 00:00:00.000 to 01/01/1970 01:00:00.000]".

I'd really appreciate if you have any ideas to help. 🙂

0 Karma
Reply

tomy8s
Loves-to-Learn Lots
‎01-08-2021 01:29 AM

We found the problem: The user had exceeded his disk usage quota.

And the fix: He went into his jobs and deleted a few, and then it worked.

Hope this helps anyone in future!

0 Karma
Reply

kmaron
Motivator
‎06-13-2019 05:44 AM

If you wait for the job to run, instead of killing it, does it run with the correct time range?

0 Karma
Reply

enverb
New Member
‎06-13-2019 07:16 AM

To be honest, I haven't had the patience to wait for the job to finish.
Are you suggesting this might be happening due to rate limits and it only starts calculating the date and time after the job has started?

0 Karma
Reply

kmaron
Motivator
‎06-13-2019 07:23 AM

That's my guess, yes. I have had jobs queue and when they run they're correct.

On a side note if you are having a lot of issues with jobs being queued you should look into your search quotas: https://answers.splunk.com/answers/155276/why-are-we-getting-message-waiting-for-queued-job-to-start...

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...