All
wonder if anyone else has had this issue with loadjob. (Splunk 6.4.4 build b53a5c14bb5e)
SPLUNK loads the oldest sid i.e. the oldest job in the job history at times
Already have a related case opened & will update the finding here.
You will note from below that the job selected from below is not the latest..
| rest "/services/saved/searches/massive_searching/history" | table title published
title published
scheduler_adminJLPOperationsRMD501616f0095d16b4d_at_1482933600_8038_610C6DEE-BD24-46B3-B2D2-F473062C2A5C 2016-12-28T14:00:05+00:00
scheduleradminJLPOperationsRMD501616f0095d16b4d_at_1482934860_8331_610C6DEE-BD24-46B3-B2D2-F473062C2A5C 2016-12-28T14:21:04+00:00
scheduleradminJLPOperationsRMD501616f0095d16b4d_at_1482935040_17514_38D39F64-2AEA-4ACE-AAEE-977BE62EB003 2016-12-28T14:24:01+00:00
scheduleradminJLPOperationsRMD501616f0095d16b4d_at_1482935220_17571_38D39F64-2AEA-4ACE-AAEE-977BE62EB003 2016-12-28T14:27:06+00:00
scheduleradminJLPOperationsRMD501616f0095d16b4d_at_1482935400_46238_C47C0830-55E7-4973-8146-4AE3832AA41E 2016-12-28T14:30:02+00:00
scheduleradminJLPOperations_RMD501616f0095d16b4d_at_1482935580_8474_610C6DEE-BD24-46B3-B2D2-F473062C2A5C 2016-12-28T14:33:01+00:00
search.log
Splunk usually waits long time displaying waiting for data before loading results with oldest SID id & NOT latest..
12-28-2016 14:34:30.235 INFO UserManager - Done setting user context: NULL -> amdin
12-28-2016 14:34:30.235 INFO UserManager - Setting user context: amdin
12-28-2016 14:34:30.235 INFO UserManager - Done setting user context: NULL -> amdin
12-28-2016 14:34:30.269 INFO SearchOperator:loadjob - found latest sid=scheduler_adminJLPOperations_RMD501616f0095d16b4d_at_1482933600_8038_610C6DEE-BD24-46B3-B2D2-F473062C2A5C from https://127.0.0.1:8089/servicesNS/amdin/amdinapp//saved/searches/massive_searching/history?output_mo..., for savedsearch=amdin:amdinapp:massive_searching
12-28-2016 14:34:30.294 INFO UserManager - Unwound user context: amdin -> NULL
12-28-2016 14:34:30.295 INFO UserManager - Setting user context: amdin
Hello. I ran into this with Splunk 6.4.
The 6.5.1 release notes show that it was fixed in 6.5.1
https://docs.splunk.com/Documentation/Splunk/6.5.1/ReleaseNotes/6.5.1
loadjob on Search Head Cluster (SHC) brings oldest run rather than latest
Hello. I ran into this with Splunk 6.4.
The 6.5.1 release notes show that it was fixed in 6.5.1
https://docs.splunk.com/Documentation/Splunk/6.5.1/ReleaseNotes/6.5.1
loadjob on Search Head Cluster (SHC) brings oldest run rather than latest
Is there a work around for older versions (6.4)?
Hello Ashwini
you could use REST to fetch the most recent saved search job history ( tail ) & use the title (the job identifier) as a input to loadjob
However this will cause messy error message at the time the job is running which may dissuade usage of it entirely!
Thanks Burwell!