Monitoring Splunk

Why is scheduled searches info on DMC incorrect if the saved search are sharing in App?

Path Finder

Hi All,

I have two saved search ; report1, which is shared in app and report3, which is private. Owner of two saved search is admin both. As I see the scheduler.log, seavedsearch_id for report1 is "nobody; search;report_1 and seavedsearch_id for report3 is "admin; search;report_3".

My question is..

1. If I share the saved search in app, the owner is still admin but the saved search id is changed to "nobody;.....". Does it mean the search is running as nobody when I share the search in app?

2. When I see these saved search activity on DMC -> Search -> Scheduler Activity: Instance, it dose not show  the cron schedule info for report_1. It leads to misinformation for search concurrency on DMC -> Search -> Search Activity: Instance. 


--> DMC dose not recognize report_1 as scheduled search. It leads to misinformation below


--> 1/4 should be 2/4.

Could you please explain why it happens? I think DMC has to recognize two scheduled searched. It seems that if the saved search is shared, DMC don't track the search. Am I correct?  Is it normal behavior?

I would appreciate if you give me any thought about it. Thanks.

Labels (2)
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...