Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Pros/cons of using "owner = nobody" as related to Splunk quotas

dglinder
Path Finder
‎10-25-2013 06:59 AM

We have a number of jobs running as "admin" that run and create large temporary files on disk and when the disk quota kicks in we aren't certain if it is due to this job, or another job running as admin. Since this is a server shared between multiple development teams, I don't want one teams search to impact other teams ability to debug their code.

In the past, a fellow admin has changed the owner to "nobody" to get around the quota problem without resorting to increasing a quota - apparently "nobody" does not have any quota restrictions?

My thought is to change the owner of the job to the name of the developer or team that created it and work with them to either resolve the quota issue, or increase their quota to allow these jobs to run.

Here are my questions:

  1. I'm ok with using "nobody" to work around the quota restrictions for a short time if that works. I can't find a document/wiki/answer that addresses what restrictions the "nobody" owner has - can anyone help?
  2. How have others addressed this? I'm tempted to create a "team account" that is just for running that teams jobs while keeping the ability to control run-away jobs in check. Are there other options I've overlooked?
  3. Is the "splunk-system-user" an appropriate owner for these jobs? My gut says no since it's usually for internal/system jobs and could be as bad as "admin".
Reply

dolivasoh
Contributor
‎07-13-2016 01:55 PM

This is pretty old but, in newer versions of Splunk, you can delegate who a report runs as owner or user. If you select the user option, the job will run as the user thus respecting the quota's for that user and role. If your teams are assigned to different roles, this will enable you to ensure that team a's jobs do not impact team b's.

0 Karma
Reply

sheamus69
Communicator
‎07-14-2016 04:03 AM

How would you go about doing this?

0 Karma
Reply

jbrinkman
Explorer
‎04-29-2020 02:45 PM

If it's scheduled it must run as owner. Could modify the metadata files to shift ownership or remove it entirely (nobody).

The run as owner or user referenced above I believe is for dashboards and the running of searches. You can build the dashboard to run the search contained within it, which runs as the user accessing the dashboard. Or you can set up the dashboard to reference the saved search which can run as the owner for that search.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...