Reporting

I need urgent help in splunk schedule report

bassel12
Explorer

I am running splunk v 7.0 and it was working fine with my schedule report and then a week ago I restarted the machine (forwarder, indexer and search head. After that no schedule report are send again and I chech it status and all of them are enable and the problem is when I change the schedule it want save any time and each time says it's(none) it won't change to any time and when this happen with my all alerts to when I make an new one it won't save it and I need to send thos schedule reports so what can I do to change this schedule reports from none and save it every time I make a schedule report and save it won't change the none
Please I need some helpp

Tags (1)

woodcock
Esteemed Legend

You are probably using SSO for authentication. In such a situation, after a reboot, none of the Knowledge Objects owned by any user will function, including Scheduled Searches, until that user logs in again. There is a similar problem with LDAP authentication but it clears for ALL users whenever ANY user logs in after a restart. For SSO, it clears for EACH user when THAT user logs in after a restart. So you can have the owner of the search login or you can transfer ownership to yourself. This is why we have all objects always owned by the non-user nobody in Production so this can never happen.

0 Karma

bassel12
Explorer

And I am grateful that you replied bec I really need help for this problem can you tell me how to find about ss0 and change it

0 Karma

woodcock
Esteemed Legend

The quickest way to fix it is to login as admin, find the searches that aren't running, see who owns them, create a local user ( settings -> access controls -> users -> new user ) with the same login name as the SSO user with the appropriate roles (and inherited privileges ) and save that. Instantly the user should inherit those privileges and everything should start working.

The long-term solution is to go into every $SPLUNK_HOME/etc/apps/*/metadata/local.meta file and delete the owner= lines. This will cause everything to be owned by the non-user called nobody who always has basic privileges. Either that or create an actual local system account that always exists and always owns everything.

0 Karma

bassel12
Explorer

I did the same steps and created a new user with admin privileges and logged in and when the same things happens when I schedule a report I won't change from none as if its not saving my change

0 Karma

bassel12
Explorer

How can I change ss0 and I am admin I have access for every thing

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bassel12,
are you sure that after restart of Search Head (the Splunk server where searches are executed!) it isn't changed any connetion parameters (e.g. firewall ports)?
You can check this using telnet.

In your installation are there other reports/alerts that send eMails? how do they works?

Ciao.
Giuseppe

0 Karma

bassel12
Explorer

And the search are executed well but can't schedule it

0 Karma

bassel12
Explorer

Every connection is ping able I already can send a test email as pdf but when I save it as scheduled it says none as if I done nothing every time I set a schedule it doesn't change it stats from none

0 Karma

gcusello
SplunkTrust
SplunkTrust

try using telnet and the port of each connection:

telnet your_email_ip_address 465

Ciao.
Giuseppe

0 Karma

bassel12
Explorer

And the search are executed well but can't schedule it

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...