I am running splunk v 7.0 and it was working fine with my schedule report and then a week ago I restarted the machine (forwarder, indexer and search head. After that no schedule report are send again and I chech it status and all of them are enable and the problem is when I change the schedule it want save any time and each time says it's(none) it won't change to any time and when this happen with my all alerts to when I make an new one it won't save it and I need to send thos schedule reports so what can I do to change this schedule reports from none and save it every time I make a schedule report and save it won't change the none
Please I need some helpp
You are probably using SSO
for authentication. In such a situation, after a reboot, none of the Knowledge Objects
owned by any user will function, including Scheduled Searches
, until that user logs in again. There is a similar problem with LDAP
authentication but it clears for ALL users whenever ANY user logs in after a restart. For SSO
, it clears for EACH user when THAT user logs in after a restart. So you can have the owner of the search login or you can transfer ownership to yourself. This is why we have all objects always owned by the non-user nobody
in Production so this can never happen.
And I am grateful that you replied bec I really need help for this problem can you tell me how to find about ss0 and change it
The quickest way to fix it is to login as admin
, find the searches that aren't running, see who owns them, create a local
user ( settings
-> access controls
-> users
-> new user
) with the same login
name as the SSO
user with the appropriate roles
(and inherited privileges
) and save that. Instantly the user should inherit those privileges and everything should start working.
The long-term solution is to go into every $SPLUNK_HOME/etc/apps/*/metadata/local.meta
file and delete the owner=
lines. This will cause everything to be owned by the non-user
called nobody
who always has basic privileges
. Either that or create an actual local system
account that always exists and always owns everything.
I did the same steps and created a new user with admin privileges and logged in and when the same things happens when I schedule a report I won't change from none as if its not saving my change
How can I change ss0 and I am admin I have access for every thing
Hi @bassel12,
are you sure that after restart of Search Head (the Splunk server where searches are executed!) it isn't changed any connetion parameters (e.g. firewall ports)?
You can check this using telnet.
In your installation are there other reports/alerts that send eMails? how do they works?
Ciao.
Giuseppe
And the search are executed well but can't schedule it
Every connection is ping able I already can send a test email as pdf but when I save it as scheduled it says none as if I done nothing every time I set a schedule it doesn't change it stats from none
try using telnet and the port of each connection:
telnet your_email_ip_address 465
Ciao.
Giuseppe
And the search are executed well but can't schedule it