Monitoring Splunk

Why is scheduled searches info on DMC incorrect if the saved search are sharing in App?

brandy81
Path Finder

Hi All,

I have two saved search ; report1, which is shared in app and report3, which is private. Owner of two saved search is admin both. As I see the scheduler.log, seavedsearch_id for report1 is "nobody; search;report_1 and seavedsearch_id for report3 is "admin; search;report_3".

My question is..

1. If I share the saved search in app, the owner is still admin but the saved search id is changed to "nobody;.....". Does it mean the search is running as nobody when I share the search in app?

2. When I see these saved search activity on DMC -> Search -> Scheduler Activity: Instance, it dose not show  the cron schedule info for report_1. It leads to misinformation for search concurrency on DMC -> Search -> Search Activity: Instance. 

brandy81_0-1614428701534.png

--> DMC dose not recognize report_1 as scheduled search. It leads to misinformation below

brandy81_1-1614428836987.png

--> 1/4 should be 2/4.

Could you please explain why it happens? I think DMC has to recognize two scheduled searched. It seems that if the saved search is shared, DMC don't track the search. Am I correct?  Is it normal behavior?

I would appreciate if you give me any thought about it. Thanks.

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...