Knowledge Management

Run data model acceleration search as user instead of nobody

ranurag
Engager

We have a accelerated data model on Splunk Enterprise for which the scheduled searches are getting skipped. On checking scheduler logs through search query we can see that the search is getting skipped due to concurrency limits.

Query:
index=_internal sourcetype=scheduler savedsearch_name=*_ACCELERATE_DM_* app="app-name"

Result:
*search_type="datamodel_acceleration", user="nobody", app="app-name", savedsearch_name="ACCELERATE_DM_app_name_data_model_name.object_name_ACCELERATE",priority=default, status=skipped, reason="The maximum number of concurrent historical scheduled searches on this instance has been reached", concurrency_category="historical_scheduled", concurrency_context="saved-search_instance-wide", concurrency_limit=5, scheduled_time=1568278800, window_time=0 *

Similar issue was faced by us earlier for scheduled saved searches and we had fixed the issue by assigning the owner of saved searches as "admin", increasing concurrency limits for "admin" and running the saved searches as "owner".

For data model acceleration we have set the owner as "admin" but the search is still running as "nobody". Is there a way we can ensure that searches for data model acceleration run as a particular user rather than "nobody"

The data model acceleration does complete even though searches get skipped and there is no problem with data but we would like to avoid the searches getting skipped.

robertlynch2020
Influencer

Did you find a solution as i have the same issue

0 Karma

benniegeorge
New Member

In addition, Cas9 mRNA can be used in multiple pathways with more than one gRNA. Use this method to determine which gRNA sequence is best for a particular target, or to edit multiple genomic loci by one transfection.

0 Karma

wryanthomas
Contributor

Did you find a solution? I'm also wanting to specify the account a particular acceleration query runs as.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...