Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk ignores date time range after a few queries

enverb
New Member
‎06-12-2019 02:38 AM

I've been having this weird problem where Splunk suddenly starts to ignore the date-time ranges I enter after executing a few queries.

At first, I can search fine and changing the date time works perfectly. Then after X number of search queries, I suddenly get the message "Waiting for queued job to start. Manage jobs."

When I go to the jobs page, I can see the exact query that I entered but what I also notice is that the date time range says "[01/01/1970 00:00:00.000 to 01/01/1970 01:00:00.000]".

If I then go on and kill the job and change the date and time, I get the exact same problem; I can never seem to change the date range from "[01/01/1970 00:00:00.000 to 01/01/1970 01:00:00.000]" to the range I want.

Any ideas?

Tags (2)
0 Karma
Reply

tomy8s
Loves-to-Learn Lots
‎01-07-2021 08:40 AM

Did you ever get to the bottom of this?

We have a user who's experiencing the same problem. Whatever he seems to do, his searches are always queued with the date range set to "[01/01/1970 00:00:00.000 to 01/01/1970 01:00:00.000]".

I'd really appreciate if you have any ideas to help. 🙂

0 Karma
Reply

tomy8s
Loves-to-Learn Lots
‎01-08-2021 01:29 AM

We found the problem: The user had exceeded his disk usage quota.

And the fix: He went into his jobs and deleted a few, and then it worked.

Hope this helps anyone in future!

0 Karma
Reply

kmaron
Motivator
‎06-13-2019 05:44 AM

If you wait for the job to run, instead of killing it, does it run with the correct time range?

0 Karma
Reply

enverb
New Member
‎06-13-2019 07:16 AM

To be honest, I haven't had the patience to wait for the job to finish.
Are you suggesting this might be happening due to rate limits and it only starts calculating the date and time after the job has started?

0 Karma
Reply

kmaron
Motivator
‎06-13-2019 07:23 AM

That's my guess, yes. I have had jobs queue and when they run they're correct.

On a side note if you are having a lot of issues with jobs being queued you should look into your search quotas: https://answers.splunk.com/answers/155276/why-are-we-getting-message-waiting-for-queued-job-to-start...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...