Reporting

savedsearches.conf from git: Why are scheduled searches being skipped?

Path Finder

Hey all,

I am trying a new way to manage some of our Splunk alerts by placing them in the app's repo in Git. With this, I have a jenkins job that copies this "app" (basically a savedsearches.conf) over and reloads it through the API. Everything is working great, except the scheduled searches are showing "skipped" and aren't emailing or anything. Here's an example of the log:

10-22-2014 14:01:10.254 -0500 INFO  SavedSplunker - savedsearch_id="nobody;alert-v2;this should email us", user="nobody", app="alert-v2", savedsearch_name="this should email us", status=skipped, scheduled_time=1414004340

I have a few theories...but I haven't been able to confirm them.

  1. I had the app hidden in the UI, would that cause this?
  2. does it matter if the user is nobody and the search has no owner? Is there a way to set that generically without having to update a metadata file in git each time a new search is added?

Any help is appreciated, thanks!

Builder

I would go for option 1

In most cases you dont have to think about the "nobody" user ...

0 Karma

Builder

Scratch that .. I have multiple "hidden" apps with scheduled /saved searches that are running ... i will have to pass on that one ... 😉

sorry

Nobody is just the user that "gets assigned" to objects withour any owner.

0 Karma

Communicator

The user=nobody shows up in the internal logs if there is no user defined in the local.meta file. The list of searches in Splunk web will then show "No Owner". I don't think that this will cause skipping the search.

0 Karma