Hi,
In the past if a users develops a scheduled report whose results are used by other users and dashboards we would normally change the ownership to "nobody" so that if the person ever left the report would keep running.
We dont like using service accounts as our security team are very anti them.
But in splunk cloud if we reassign the saved search to nobody it seems to apply the cron schedule based on UTC rather than the timezone of the previous user (in our case New Zealand).
Is there someway we can set the timezone of the nobody user? We are reluctant to have to specify cron schedules in UTC when eveything we do is in NZ time.
Any suggestions?
Thanks
User "nobody" doesn't exist so there's no account for which to set a time zone.
The recommended practice is to use service accounts for shared reports and alerts. Another advantage of services accounts is the ability to assign a role to the account so searches run with non-default permissions and limits.
Also to add this has to be a local account on the search head?
The account does not have to be local. I've had customers create LDAP/SAML service accounts for Splunk.
So in splunk web with multiple or many users often we have content developers and analysts. Content developers are creating searches, alerts, dashboards, injesting data, and customizing configurations. We do run into the orphaned search issue if an account is disabled or deleted.
So I don't see in Splunk Web were we can alter the user limits or configure a role as a service account role?
Also is this covered in the Splunk Troubleshooting class?
There is no "service account" designation native to Splunk. It's up to an admin to say "this is the account we will use as our service account" and give that account a role with the desired capabilities and resource limits. Then the admin can reassign ownership of selected KOs to that account.
It's been a long time since I took the Troubleshooting class so I don't recall if this is covered, but I doubt it.
User "nobody" doesn't exist so there's no account for which to set a time zone.
The recommended practice is to use service accounts for shared reports and alerts. Another advantage of services accounts is the ability to assign a role to the account so searches run with non-default permissions and limits.