I saw several questions about the user "nobody", and would like to get a clear explanation of the meaning and implication.
Here are some of the answers I saw, but they are too specific:
Here is the official answer at the time of Splunk version 6.6 7.0, 7.1 and 7.2
The user "nobody" in the manager is a catch all name for all the objects that :
Technically, there is no user "nobody" in Splunk. The manager will NEVER allow you to create one, and you should not create such a user in LDAP.
However this can be confusing because :
What happens If a scheduled search has no owner :
What not to do if you have orphan object (and scheduled searches, or scheduled views ...)
What to do if you have orphan searches:
About the solution "Reassign them to an existing user if you really need them to run again"
This is a good option if you have scheduled searches that need to keep running. You create a specific user (like a service user), with appropriate role with capacity for search concurrency and capabilities. And have the critical searches run as this user.
Then if you have other objects (fields extractions, views, etc...), that other users need to access, you can share them (in the app, or globally).
PS : this is equivalent to removing the ownership (and keep the object shared by default in the app). (by editing the conf files and meta files on disk, not possible to do so from the UI).
The difference is that those app object without owner are scheduled searches, they will run as the splunk-system-user, that usually inherits from the role admin.