- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk ignores date time range after a few queries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk ignores date time range after a few queries
I've been having this weird problem where Splunk suddenly starts to ignore the date-time ranges I enter after executing a few queries.
At first, I can search fine and changing the date time works perfectly. Then after X number of search queries, I suddenly get the message "Waiting for queued job to start. Manage jobs."
When I go to the jobs page, I can see the exact query that I entered but what I also notice is that the date time range says "[01/01/1970 00:00:00.000 to 01/01/1970 01:00:00.000]".
If I then go on and kill the job and change the date and time, I get the exact same problem; I can never seem to change the date range from "[01/01/1970 00:00:00.000 to 01/01/1970 01:00:00.000]" to the range I want.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever get to the bottom of this?
We have a user who's experiencing the same problem. Whatever he seems to do, his searches are always queued with the date range set to "[01/01/1970 00:00:00.000 to 01/01/1970 01:00:00.000]".
I'd really appreciate if you have any ideas to help. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We found the problem: The user had exceeded his disk usage quota.
And the fix: He went into his jobs and deleted a few, and then it worked.
Hope this helps anyone in future!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you wait for the job to run, instead of killing it, does it run with the correct time range?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To be honest, I haven't had the patience to wait for the job to finish.
Are you suggesting this might be happening due to rate limits and it only starts calculating the date and time after the job has started?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's my guess, yes. I have had jobs queue and when they run they're correct.
On a side note if you are having a lot of issues with jobs being queued you should look into your search quotas: https://answers.splunk.com/answers/155276/why-are-we-getting-message-waiting-for-queued-job-to-start...
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
