Solved: Re: Enabled 30 minute search won't run/populate da...

lbnsam · ‎10-29-2019

Hi there, I have gone through the installation instructions of the Meta Woot! app, however the selected search won't run.

I tested the search itself, which works just fine when run manually. The data populates when the search is run manually as well.

Any ideas why it wouldn't run on the chosen schedule? I have not tried the other tie intervals yet.

mockd · ‎10-29-2019

Hi,

A couple things to check:
- Does the job inspector show the job as having run with just zero results? Or does it show any errors?
- Have you confirmed that the scheduled search isn't being skipped?
- The searches are owned by the "admin" user when installed. Was there any changes to the ownership and/or does your admin account exist and have the correct access to the data?

Thanks!

View solution in original post

lbnsam · ‎10-31-2019

Turns out that the search was being skipped. Still investigating but the search itself was assigned to a role rather than a user and thus it was considered "Orphaned". I still don't understand why the search wouldn't run as the admin role, so I still have quite a bit to learn.

mockd · ‎10-31-2019

The owner of a KO/search etc needs to be a user, it can't be assigned to a role. So if you didn't actually have an "admin" user, then it would be considered orphaned and not scheduled.

mockd · ‎10-29-2019

Hi,

That is a bit odd. The schedule for the 30min search should be */30 * * * *.

You should be able to update it, but you might want to check if it was modified after the app was installed. You should be able to look in the meta woot app directory and see if there is a local savedsearches.conf file that would overwrite the settings from the default version.

mockd · ‎10-29-2019

Hi,

A couple things to check:
- Does the job inspector show the job as having run with just zero results? Or does it show any errors?
- Have you confirmed that the scheduled search isn't being skipped?
- The searches are owned by the "admin" user when installed. Was there any changes to the ownership and/or does your admin account exist and have the correct access to the data?

Thanks!

lbnsam · ‎10-31-2019

I'm still not certain as to why it was being skipped, investigating now. I disabled all accelerated searches to try to see if that will help.

mockd · ‎10-31-2019

From what you posted, the cron schedule for the 30min search was incorrect. Did you validate if it had been changed? (ie, a local version).

lbnsam · ‎10-31-2019

I actually switched to the 15 minute one as I was certain that it was unchanged. It also agreed with the format you provided as additional assurance.

The knowledge object was considered "Orphaned", so I reassigned it to run as Administrator, and it seems to be working fine. In fact, I just checked and it updated the Next Scheduled Time field.

It is really very strange, I installed the app as the Administrator, the searches were owned by "admin" (which I believe is the role and not any user) but it was still considered "Orphaned".

I will keep an eye on it and update this thread if it doesn't work anymore, but it seems to be working.

Is there a problem running this as Administrator? I feel like it would be best practice to change assign the KO to a different user, one with more limited permissions.

mockd · ‎10-31-2019

Ok, that would explain it. The searches and KO's should be owned by an account with appropriate permissions/capabilities to view the data in your Splunk deployment. This is normally the "admin" user which is what is configured by default. So if you are using a different account than "admin" then they should be updated.

Glad to hear it's working!

lbnsam · ‎10-31-2019

I find it strange that the admin user does not have the permissions to run this search...

If this is configured by default, why was the search considered to be orphaned?

lbnsam · ‎10-29-2019

Sorry, made a mistake when I made this question: It is actually a scheduled report that runs according to the cron job using this schedule: */30 * * * *

How do you check the job inspector for a scheduled report? When I run the report manually, all the data populates just fine, including in the required dashboards. The job inspector looks fine in this case.
How do you check if it is being skipped?
There was no change to the admin permissions/ownership, the admin does have the required accesses

Thanks for the response!

lbnsam · ‎10-29-2019

Just tried a different report option (every 15 minutes), it seems that there is a bug with the scheduling. When I enabled the other report, the field "Next Scheduled Time" populated with data.

This wasn't true for the original report I enabled.

Any ideas as to why this may not have happened for the other report?

Enabled 30 minute search won't run/populate data every 30 minutes

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?