Hi Splunkers,
I have a few saved searches that query SQL DB via dbxquery and perform some calculations.
The search CRON schedule is set to */30 * * * * .
The dbxquery is something like :
SELECT top 20 * FROM tbl WHERE unitname LIKE '%integrated%' ORDER BY day DESC, shiftcode DESC
I have kept them as scheduled reports so that I can quickly check the cached results and not have to wait for the query to execute every time.
However, frequently the following happens:
This scheduled report runs on cron schedule */30 * * * *. Its time range is last 60 minutes. The following results were generated an hour ago.
This should not happen. As per the CRON exp., the results should always be generated less than 30mins back.
I have checked scheduler.log, the reports run successfully every 30mins as per the CRON exp. A sample event in scheduler.log for this savedsearch is as follows [I am masking some sensitive data with ***]:
09-04-2018 09:00:43.048 +0000 INFO SavedSplunker - savedsearch_id="nobody;search;***IntegratedLines_30min", search_type="scheduled", user="***", app="search", savedsearch_name="***IntegratedLines_30min", priority=default, status=success, digest_mode=1, scheduled_time=1536051600, window_time=-1, dispatch_time=1536051604, run_time=8.906, result_count=35, alert_actions="", sid="***_at_1536051600_151", suppressed=0, thread_id="AlertNotifierWorker-0"
host=M***1 source=/opt/splunk/var/log/splunk/scheduler.log sourcetype=scheduler
The data that is generated is not refreshed as well. If I run the query manually, I get the refreshed data.
Please note that the time range for the search does not matter since we are not working on indexed data.
Is this something related to dbxquery, or am I missing out something?
Let me know if you guys need more information.
Thanks in advance!
... View more