Knowledge Management

Service user for scheduled searches: one or more?

SplunkExplorer
Contributor

Hi Splunkers, I have a doubt about users that run scheduled searches.

Until now, I now very well that, if a user own a knowledge object like a correlation searches, when it is deleted/disabled, we can encounter some problems, like the Orphaned object one. So the best pratice is to create a service user and assign it to KO. Fine.

My wondering is: suppose we have many scheduled correlation searches, for example more than 100 and 200. Assign all those searches to one single service user is fine, or is better to create multiple one, so to avoid some performance experience?

The question is made based on a case some colleagues shared with me once: due there were some problems with search lag/skipped searches, in addiction to fix searches scheduler, involved people splitted their ownership to multiple users. Is that useful or not?

Labels (1)
0 Karma
1 Solution

deepakc
Builder

Yes, it is good practice, to create a service account. As you said, people leave and KO's become orphaned.
So, if you have a service account for say business critical app, you get the users/developers to create various private KO's for this app, then move/clone them to the main app and assign the KO's to the service account user.

I don't know if having multiple services accounts is needed, but perhaps having one account per business critical app. The service account will need to have sufficient capabilities and resources based on its Splunk role and optionally you could look at workload management rules for the different roles for different workloads, so give the important service account that belongs to a role better performance than others.

View solution in original post

deepakc
Builder

Yes, it is good practice, to create a service account. As you said, people leave and KO's become orphaned.
So, if you have a service account for say business critical app, you get the users/developers to create various private KO's for this app, then move/clone them to the main app and assign the KO's to the service account user.

I don't know if having multiple services accounts is needed, but perhaps having one account per business critical app. The service account will need to have sufficient capabilities and resources based on its Splunk role and optionally you could look at workload management rules for the different roles for different workloads, so give the important service account that belongs to a role better performance than others.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...