- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Service user for scheduled searches: one or more?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Splunkers, I have a doubt about users that run scheduled searches.
Until now, I now very well that, if a user own a knowledge object like a correlation searches, when it is deleted/disabled, we can encounter some problems, like the Orphaned object one. So the best pratice is to create a service user and assign it to KO. Fine.
My wondering is: suppose we have many scheduled correlation searches, for example more than 100 and 200. Assign all those searches to one single service user is fine, or is better to create multiple one, so to avoid some performance experience?
The question is made based on a case some colleagues shared with me once: due there were some problems with search lag/skipped searches, in addiction to fix searches scheduler, involved people splitted their ownership to multiple users. Is that useful or not?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is good practice, to create a service account. As you said, people leave and KO's become orphaned.
So, if you have a service account for say business critical app, you get the users/developers to create various private KO's for this app, then move/clone them to the main app and assign the KO's to the service account user.
I don't know if having multiple services accounts is needed, but perhaps having one account per business critical app. The service account will need to have sufficient capabilities and resources based on its Splunk role and optionally you could look at workload management rules for the different roles for different workloads, so give the important service account that belongs to a role better performance than others.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is good practice, to create a service account. As you said, people leave and KO's become orphaned.
So, if you have a service account for say business critical app, you get the users/developers to create various private KO's for this app, then move/clone them to the main app and assign the KO's to the service account user.
I don't know if having multiple services accounts is needed, but perhaps having one account per business critical app. The service account will need to have sufficient capabilities and resources based on its Splunk role and optionally you could look at workload management rules for the different roles for different workloads, so give the important service account that belongs to a role better performance than others.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
