Reporting

savedsearches.conf from git: Why are scheduled searches being skipped?

dcparker
Path Finder

Hey all,

I am trying a new way to manage some of our Splunk alerts by placing them in the app's repo in Git. With this, I have a jenkins job that copies this "app" (basically a savedsearches.conf) over and reloads it through the API. Everything is working great, except the scheduled searches are showing "skipped" and aren't emailing or anything. Here's an example of the log:

10-22-2014 14:01:10.254 -0500 INFO  SavedSplunker - savedsearch_id="nobody;alert-v2;this should email us", user="nobody", app="alert-v2", savedsearch_name="this should email us", status=skipped, scheduled_time=1414004340

I have a few theories...but I haven't been able to confirm them.

  1. I had the app hidden in the UI, would that cause this?
  2. does it matter if the user is nobody and the search has no owner? Is there a way to set that generically without having to update a metadata file in git each time a new search is added?

Any help is appreciated, thanks!

lmyrefelt
Builder

I would go for option 1

In most cases you dont have to think about the "nobody" user ...

0 Karma

lmyrefelt
Builder

Scratch that .. I have multiple "hidden" apps with scheduled /saved searches that are running ... i will have to pass on that one ... 😉

sorry

Nobody is just the user that "gets assigned" to objects withour any owner.

0 Karma

norbert_hamel
Communicator

The user=nobody shows up in the internal logs if there is no user defined in the local.meta file. The list of searches in Splunk web will then show "No Owner". I don't think that this will cause skipping the search.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...