Installation

How to set time zone for user "nobody"?

Keith_wgtn
Explorer

Hi,

In the past if a users develops a scheduled report whose results are used by other users and dashboards we would normally change the ownership to "nobody" so that if the person ever left the report would keep running.

We dont like using service accounts as our security team are very anti them.

But in splunk cloud if we reassign the saved search to nobody it seems to apply the cron schedule based on UTC rather than the timezone of the previous user (in our case New Zealand).

Is there someway we can set the timezone of the nobody user?  We are reluctant to have to specify cron schedules in UTC when eveything we do is in NZ time.

Any suggestions?

Thanks

Labels (1)
Tags (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

User "nobody" doesn't exist so there's no account for which to set a time zone.

The recommended practice is to use service accounts for shared reports and alerts.  Another advantage of services accounts is the ability to assign a role to the account so searches run with non-default permissions and limits.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

lugoon
Explorer

Also to add this has to be a local account on the search head?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The account does not have to be local.  I've had customers create LDAP/SAML service accounts for Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lugoon
Explorer

So in splunk web with multiple or many users often we have content developers and analysts. Content developers are creating searches, alerts, dashboards, injesting data, and customizing configurations. We do run into the orphaned search issue if an account is disabled or deleted. 

So I don't see in Splunk Web were we can alter the user limits or configure a role as a service account role?

Also is this covered in the Splunk Troubleshooting class?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There is no "service account" designation native to Splunk.  It's up to an admin to say "this is the account we will use as our service account" and give that account a role with the desired capabilities and resource limits.  Then the admin can reassign ownership of selected KOs to that account.

It's been a long time since I took the Troubleshooting class so I don't recall if this is covered, but I doubt it.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

User "nobody" doesn't exist so there's no account for which to set a time zone.

The recommended practice is to use service accounts for shared reports and alerts.  Another advantage of services accounts is the ability to assign a role to the account so searches run with non-default permissions and limits.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...