Scheduled Saved Search [CRON */30 * * * *] runs, but result is not refreshed

Path Finder

Hi Splunkers,

I have a few saved searches that query SQL DB via dbxquery and perform some calculations.
The search CRON schedule is set to */30 * * * *.

The dbxquery is something like :

SELECT top 20 * FROM tbl WHERE unitname LIKE '%integrated%' ORDER BY day DESC, shiftcode DESC

I have kept them as scheduled reports so that I can quickly check the cached results and not have to wait for the query to execute every time.

However, frequently the following happens:

This scheduled report runs on cron schedule */30 * * * *. Its time range is last 60 minutes. The following results were generated an hour ago.

This should not happen. As per the CRON exp., the results should always be generated less than 30mins back.

I have checked scheduler.log, the reports run successfully every 30mins as per the CRON exp. A sample event in scheduler.log for this savedsearch is as follows [I am masking some sensitive data with ***]:

09-04-2018 09:00:43.048 +0000 INFO  SavedSplunker - savedsearch_id="nobody;search;***IntegratedLines_30min", search_type="scheduled", user="***", app="search", savedsearch_name="***IntegratedLines_30min", priority=default, status=success, digest_mode=1, scheduled_time=1536051600, window_time=-1, dispatch_time=1536051604, run_time=8.906, result_count=35, alert_actions="", sid="***_at_1536051600_151", suppressed=0, thread_id="AlertNotifierWorker-0" 
host=M***1 source=/opt/splunk/var/log/splunk/scheduler.log sourcetype=scheduler

The data that is generated is not refreshed as well. If I run the query manually, I get the refreshed data.
Please note that the time range for the search does not matter since we are not working on indexed data.

Is this something related to dbxquery, or am I missing out something?

Let me know if you guys need more information.

Thanks in advance!

0 Karma

Path Finder

We have encountered the same (a similar?) problem: The results shown under "reports" are not the most recent ones. We frequently see a sentence on top like "The following results were generated 7 days ago." while the most recent results were generated today (we can actually see them through "searches, reports and alerts" and clicking "View recent" for the correct scheduled search. This seems to be a bug of the "reports" view?

Splunk version: 7.1.1

P.s. we áre working with indexed data.

0 Karma

Path Finder

PS: We know for a fact that the data at the source db will mandatorily change within any 30mins period. Thus there is absolute zero chance of the data not getting refreshed due to no change in source data.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!