Reporting

Loadjob returns oldest job in job history

stanwin
Contributor

All

wonder if anyone else has had this issue with loadjob. (Splunk 6.4.4 build b53a5c14bb5e)

SPLUNK loads the oldest sid i.e. the oldest job in the job history at times

Already have a related case opened & will update the finding here.

You will note from below that the job selected from below is not the latest..

| rest "/services/saved/searches/massive_searching/history" | table title published

title published
scheduler_adminJLPOperationsRMD501616f0095d16b4d_at_1482933600_8038_610C6DEE-BD24-46B3-B2D2-F473062C2A5C 2016-12-28T14:00:05+00:00
scheduler
adminJLPOperationsRMD501616f0095d16b4d_at_1482934860_8331_610C6DEE-BD24-46B3-B2D2-F473062C2A5C 2016-12-28T14:21:04+00:00
scheduler
adminJLPOperationsRMD501616f0095d16b4d_at_1482935040_17514_38D39F64-2AEA-4ACE-AAEE-977BE62EB003 2016-12-28T14:24:01+00:00
scheduler
adminJLPOperationsRMD501616f0095d16b4d_at_1482935220_17571_38D39F64-2AEA-4ACE-AAEE-977BE62EB003 2016-12-28T14:27:06+00:00
scheduler
adminJLPOperationsRMD501616f0095d16b4d_at_1482935400_46238_C47C0830-55E7-4973-8146-4AE3832AA41E 2016-12-28T14:30:02+00:00
scheduler
adminJLPOperations_RMD501616f0095d16b4d_at_1482935580_8474_610C6DEE-BD24-46B3-B2D2-F473062C2A5C 2016-12-28T14:33:01+00:00

search.log

Splunk usually waits long time displaying waiting for data before loading results with oldest SID id & NOT latest..

12-28-2016 14:34:30.235 INFO UserManager - Done setting user context: NULL -> amdin
12-28-2016 14:34:30.235 INFO UserManager - Setting user context: amdin
12-28-2016 14:34:30.235 INFO UserManager - Done setting user context: NULL -> amdin
12-28-2016 14:34:30.269 INFO SearchOperator:loadjob - found latest sid=scheduler_adminJLPOperations_RMD501616f0095d16b4d_at_1482933600_8038_610C6DEE-BD24-46B3-B2D2-F473062C2A5C from https://127.0.0.1:8089/servicesNS/amdin/amdinapp//saved/searches/massive_searching/history?output_mo..., for savedsearch=amdin:amdinapp:massive_searching
12-28-2016 14:34:30.294 INFO UserManager - Unwound user context: amdin -> NULL
12-28-2016 14:34:30.295 INFO UserManager - Setting user context: amdin

0 Karma
1 Solution

burwell
SplunkTrust
SplunkTrust

Hello. I ran into this with Splunk 6.4.

The 6.5.1 release notes show that it was fixed in 6.5.1

https://docs.splunk.com/Documentation/Splunk/6.5.1/ReleaseNotes/6.5.1

loadjob on Search Head Cluster (SHC) brings oldest run rather than latest

View solution in original post

burwell
SplunkTrust
SplunkTrust

Hello. I ran into this with Splunk 6.4.

The 6.5.1 release notes show that it was fixed in 6.5.1

https://docs.splunk.com/Documentation/Splunk/6.5.1/ReleaseNotes/6.5.1

loadjob on Search Head Cluster (SHC) brings oldest run rather than latest

ashwini_hosbet
New Member

Is there a work around for older versions (6.4)?

0 Karma

stanwin
Contributor

Hello Ashwini

you could use REST to fetch the most recent saved search job history ( tail ) & use the title (the job identifier) as a input to loadjob

However this will cause messy error message at the time the job is running which may dissuade usage of it entirely!

0 Karma

stanwin
Contributor

Thanks Burwell!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...