Best practice for creating a user/owner for a scheduled alert

New Member

Looking for best practices around setting up a common user or separate individual users for creating and running scheduled alerts/jobs.
Currently we have some scheduled alerts which are created by individual users and run with the same user. What if that user is removed or deactivated and what happens to the scheduled jobs ?

We are thinking of a common user who can schedule and run tasks/alerts . Any suggestions or best practices are appreciated.

Tags (1)
0 Karma


If a user is deleted all it's private permission knowledge objects will get deleted too. I recommend an alerting app context. Have your alerting service account save all alerts there and with shared in app permissions. Once a knowledge object is shared beyond private it will NOT be deleted when the user account is. The account needs permissions to all indexes for the searches it will run. If it is going to use the Splunk encrypted password endpoint for any custom search commands etc then it also needs the Splunk capability "admin_all_objects" which is full admin/god level control of Splunk.

You could let users make but not schedule searches. Then establish a "move to production" process where you copy or edit the meta data file owner of the knowledge object to your alert service account where you then schedule it.

0 Karma
Get Updates on the Splunk Community!

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...