I am trying a new way to manage some of our Splunk alerts by placing them in the app's repo in Git. With this, I have a jenkins job that copies this "app" (basically a savedsearches.conf) over and reloads it through the API. Everything is working great, except the scheduled searches are showing "skipped" and aren't emailing or anything. Here's an example of the log:
10-22-2014 14:01:10.254 -0500 INFO SavedSplunker - savedsearch_id="nobody;alert-v2;this should email us", user="nobody", app="alert-v2", savedsearch_name="this should email us", status=skipped, scheduled_time=1414004340
I have a few theories...but I haven't been able to confirm them.
Any help is appreciated, thanks!
Scratch that .. I have multiple "hidden" apps with scheduled /saved searches that are running ... i will have to pass on that one ... 😉
Nobody is just the user that "gets assigned" to objects withour any owner.
The user=nobody shows up in the internal logs if there is no user defined in the local.meta file. The list of searches in Splunk web will then show "No Owner". I don't think that this will cause skipping the search.