Best practice for creating a user/owner for a sche...

srkumar10 · ‎10-14-2016

Looking for best practices around setting up a common user or separate individual users for creating and running scheduled alerts/jobs.
Currently we have some scheduled alerts which are created by individual users and run with the same user. What if that user is removed or deactivated and what happens to the scheduled jobs ?

We are thinking of a common user who can schedule and run tasks/alerts . Any suggestions or best practices are appreciated.

starcher · ‎10-16-2016

If a user is deleted all it's private permission knowledge objects will get deleted too. I recommend an alerting app context. Have your alerting service account save all alerts there and with shared in app permissions. Once a knowledge object is shared beyond private it will NOT be deleted when the user account is. The account needs permissions to all indexes for the searches it will run. If it is going to use the Splunk encrypted password endpoint for any custom search commands etc then it also needs the Splunk capability "admin_all_objects" which is full admin/god level control of Splunk.

You could let users make but not schedule searches. Then establish a "move to production" process where you copy or edit the meta data file owner of the knowledge object to your alert service account where you then schedule it.

http://www.georgestarcher.com/splunk-alert-scripts-automating-control/

Best practice for creating a user/owner for a scheduled alert

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor

Introducing Edge Processor: Next Gen Data Transformation