Monitoring Splunk

Why is scheduled searches info on DMC incorrect if the saved search are sharing in App?

brandy81
Path Finder

Hi All,

I have two saved search ; report1, which is shared in app and report3, which is private. Owner of two saved search is admin both. As I see the scheduler.log, seavedsearch_id for report1 is "nobody; search;report_1 and seavedsearch_id for report3 is "admin; search;report_3".

My question is..

1. If I share the saved search in app, the owner is still admin but the saved search id is changed to "nobody;.....". Does it mean the search is running as nobody when I share the search in app?

2. When I see these saved search activity on DMC -> Search -> Scheduler Activity: Instance, it dose not show  the cron schedule info for report_1. It leads to misinformation for search concurrency on DMC -> Search -> Search Activity: Instance. 

brandy81_0-1614428701534.png

--> DMC dose not recognize report_1 as scheduled search. It leads to misinformation below

brandy81_1-1614428836987.png

--> 1/4 should be 2/4.

Could you please explain why it happens? I think DMC has to recognize two scheduled searched. It seems that if the saved search is shared, DMC don't track the search. Am I correct?  Is it normal behavior?

I would appreciate if you give me any thought about it. Thanks.

Labels (2)
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.