Installation

How to set time zone for user "nobody"?

Keith_wgtn
Explorer

Hi,

In the past if a users develops a scheduled report whose results are used by other users and dashboards we would normally change the ownership to "nobody" so that if the person ever left the report would keep running.

We dont like using service accounts as our security team are very anti them.

But in splunk cloud if we reassign the saved search to nobody it seems to apply the cron schedule based on UTC rather than the timezone of the previous user (in our case New Zealand).

Is there someway we can set the timezone of the nobody user?  We are reluctant to have to specify cron schedules in UTC when eveything we do is in NZ time.

Any suggestions?

Thanks

Labels (1)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

User "nobody" doesn't exist so there's no account for which to set a time zone.

The recommended practice is to use service accounts for shared reports and alerts.  Another advantage of services accounts is the ability to assign a role to the account so searches run with non-default permissions and limits.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

lugoon
Explorer

Also to add this has to be a local account on the search head?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The account does not have to be local.  I've had customers create LDAP/SAML service accounts for Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lugoon
Explorer

So in splunk web with multiple or many users often we have content developers and analysts. Content developers are creating searches, alerts, dashboards, injesting data, and customizing configurations. We do run into the orphaned search issue if an account is disabled or deleted. 

So I don't see in Splunk Web were we can alter the user limits or configure a role as a service account role?

Also is this covered in the Splunk Troubleshooting class?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no "service account" designation native to Splunk.  It's up to an admin to say "this is the account we will use as our service account" and give that account a role with the desired capabilities and resource limits.  Then the admin can reassign ownership of selected KOs to that account.

It's been a long time since I took the Troubleshooting class so I don't recall if this is covered, but I doubt it.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

User "nobody" doesn't exist so there's no account for which to set a time zone.

The recommended practice is to use service accounts for shared reports and alerts.  Another advantage of services accounts is the ability to assign a role to the account so searches run with non-default permissions and limits.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...