Installation

How to set time zone for user "nobody"?

Keith_wgtn
Explorer

Hi,

In the past if a users develops a scheduled report whose results are used by other users and dashboards we would normally change the ownership to "nobody" so that if the person ever left the report would keep running.

We dont like using service accounts as our security team are very anti them.

But in splunk cloud if we reassign the saved search to nobody it seems to apply the cron schedule based on UTC rather than the timezone of the previous user (in our case New Zealand).

Is there someway we can set the timezone of the nobody user?  We are reluctant to have to specify cron schedules in UTC when eveything we do is in NZ time.

Any suggestions?

Thanks

Labels (1)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

User "nobody" doesn't exist so there's no account for which to set a time zone.

The recommended practice is to use service accounts for shared reports and alerts.  Another advantage of services accounts is the ability to assign a role to the account so searches run with non-default permissions and limits.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

lugoon
Explorer

Also to add this has to be a local account on the search head?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The account does not have to be local.  I've had customers create LDAP/SAML service accounts for Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lugoon
Explorer

So in splunk web with multiple or many users often we have content developers and analysts. Content developers are creating searches, alerts, dashboards, injesting data, and customizing configurations. We do run into the orphaned search issue if an account is disabled or deleted. 

So I don't see in Splunk Web were we can alter the user limits or configure a role as a service account role?

Also is this covered in the Splunk Troubleshooting class?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no "service account" designation native to Splunk.  It's up to an admin to say "this is the account we will use as our service account" and give that account a role with the desired capabilities and resource limits.  Then the admin can reassign ownership of selected KOs to that account.

It's been a long time since I took the Troubleshooting class so I don't recall if this is covered, but I doubt it.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

User "nobody" doesn't exist so there's no account for which to set a time zone.

The recommended practice is to use service accounts for shared reports and alerts.  Another advantage of services accounts is the ability to assign a role to the account so searches run with non-default permissions and limits.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...