Why is scheduled searches info on DMC incorrect if...

brandy81 · ‎02-27-2021

Hi All,

I have two saved search ; report1, which is shared in app and report3, which is private. Owner of two saved search is admin both. As I see the scheduler.log, seavedsearch_id for report1 is "nobody; search;report_1 and seavedsearch_id for report3 is "admin; search;report_3".

My question is..

1. If I share the saved search in app, the owner is still admin but the saved search id is changed to "nobody;.....". Does it mean the search is running as nobody when I share the search in app?

2. When I see these saved search activity on DMC -> Search -> Scheduler Activity: Instance, it dose not show the cron schedule info for report_1. It leads to misinformation for search concurrency on DMC -> Search -> Search Activity: Instance.

--> DMC dose not recognize report_1 as scheduled search. It leads to misinformation below

--> 1/4 should be 2/4.

Could you please explain why it happens? I think DMC has to recognize two scheduled searched. It seems that if the saved search is shared, DMC don't track the search. Am I correct? Is it normal behavior?

I would appreciate if you give me any thought about it. Thanks.

Why is scheduled searches info on DMC incorrect if the saved search are sharing in App?

monitoring console

scheduler activity

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life