https://community.splunk.com/t5/Splunk-Search/savedsearch-will-not-run-via-cron-schedule-but-can-be-ran/m-p/658322#M227403 <P>IMO, user Nobody should not be used.&nbsp; All scheduled searches should be owned by a real user, even if it's a service account.&nbsp; That means the user running the search would have a role that specifies what accesses and resources the search has. When a search runs manually, it takes on the role of the person running it (unless set to "run as owner").</P><P>Make sure the search in question has read access to all of the knowledge objects it needs.&nbsp; IOW, each KO should be set to "Everyone" in the Read column (if using Nobody, that is; otherwise, set the permissions for the roles that need access).</P> Thu, 21 Sep 2023 18:27:23 GMT richgalloway 2023-09-21T18:27:23Z https://community.splunk.com/t5/Splunk-Search/savedsearch-will-not-run-via-cron-schedule-but-can-be-ran/m-p/658301#M227397 <DIV>I am fighting with what I think is a knowledge object permission at the moment, but not 100% sure of this.</DIV><DIV>&nbsp;</DIV><DIV><U><STRONG>Context</STRONG></U></DIV><DIV><DIV><DIV>I have 2 apps&nbsp;</DIV><DIV>&nbsp;1) mainapp with savedsearches, macros, dashboards, etc.</DIV><DIV>&nbsp;2) mainapp_TA, containing most of the *.config files (props, transforms, etc.)<BR /><DIV><DIV class=""><DIV><DIV>&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV><DIV>Based on the GUI Settings &gt; pages, all ...<BR />* savedsearches are all set to owner=nobody</DIV><DIV>* macros are set to owner= No Owner</DIV><DIV>* Sharing is set to App for everything</DIV><DIV><DIV><DIV class=""><DIV><DIV>&nbsp;</DIV></DIV></DIV></DIV></DIV></DIV><DIV><U><STRONG>Issue</STRONG></U></DIV><UL><LI>One of my 7 savedsearches will NOT run using a CRON schedule when the owner=nobody. The other savedsearches run just fine.</LI><LI>However, once I set owner=greg in /metadata/local.meta, the CRON schedule runs just fine.<UL><LI>Note: I tried setting owner to another user in our environment, and the the CRON would NOT run. So, somehow this savedsearch is tied to me and I am not sure how to "untie" it.</LI></UL></LI><LI>When the owner=nobody on this savedsearch, I can manually hit "run" from the Settings &gt;&nbsp;Searches, Reports, and Alerts page and it works every time.</LI></UL><DIV>&nbsp;</DIV><DIV>I cannot figure out WHY this savedsearch is special and requires me to be the owner.</DIV><DIV>&nbsp;</DIV><DIV><DIV class=""><DIV><DIV>I have to be missing something but not sure where to look now.</DIV><DIV>&nbsp;</DIV><DIV>Any help is greatly appreciated.<BR /><BR />Regards, Greg</DIV></DIV></DIV></DIV> Thu, 21 Sep 2023 14:20:14 GMT https://community.splunk.com/t5/Splunk-Search/savedsearch-will-not-run-via-cron-schedule-but-can-be-ran/m-p/658301#M227397 GregSmith 2023-09-21T14:20:14Z https://community.splunk.com/t5/Splunk-Search/savedsearch-will-not-run-via-cron-schedule-but-can-be-ran/m-p/658322#M227403 <P>IMO, user Nobody should not be used.&nbsp; All scheduled searches should be owned by a real user, even if it's a service account.&nbsp; That means the user running the search would have a role that specifies what accesses and resources the search has. When a search runs manually, it takes on the role of the person running it (unless set to "run as owner").</P><P>Make sure the search in question has read access to all of the knowledge objects it needs.&nbsp; IOW, each KO should be set to "Everyone" in the Read column (if using Nobody, that is; otherwise, set the permissions for the roles that need access).</P> Thu, 21 Sep 2023 18:27:23 GMT https://community.splunk.com/t5/Splunk-Search/savedsearch-will-not-run-via-cron-schedule-but-can-be-ran/m-p/658322#M227403 richgalloway 2023-09-21T18:27:23Z https://community.splunk.com/t5/Splunk-Search/savedsearch-will-not-run-via-cron-schedule-but-can-be-ran/m-p/658323#M227404 <P>Thank you. Will give it a try and let the forum know.<BR /><BR />Greatly appreciate the response and path forward.</P><P>Regards, Greg</P> Thu, 21 Sep 2023 17:27:17 GMT https://community.splunk.com/t5/Splunk-Search/savedsearch-will-not-run-via-cron-schedule-but-can-be-ran/m-p/658323#M227404 GregSmith 2023-09-21T17:27:17Z