Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to specify an owner for pre-canned saved searches for app packaging?

the_wolverine
Champion
‎04-15-2010 04:22 PM

I've written a bunch of scheduled searches for a Splunk app. The searches appear as having no owner. How can I specify an owner for these scheduled searches?

In order to be able to control the quota for these searches, I need to assign an owner. Otherwise, the quota is that assigned to splunk-system-user.

I need to package the app so the configuration must exist within the app context.

Reply
2 Solutions
Solved! Jump to solution
Solution

the_wolverine
Champion
‎04-15-2010 05:30 PM

When a user creates and schedules a saved search, that search gets created in some app context and ownership of this search is specified in the user's Splunk directory ($SPLUNK/etc/users///local/savedsearches.conf).

In the case stated here, you want to package a saved search with your app that already has an owner specified. If you just create a saved search and schedule it in the app, it'll run without an owner. Without an owner, the scheduled search is run via the splunk-system-user account which has its own quota limits.

In order to specify an owner, do the following:

Create the saved search in someapp/default/savedsearches.conf:

[Errors in the last 24 hours]
search = error OR failed OR severe "more search terms"
dispatch.earliest_time = -1d
...
etc.

Then you'll specify the owner per saved search in the someapp/metadata/default.meta file:

### SAVED SEARCHES

[savedsearches/Errors%20in%20the%20last%2024%20hours]
access = read : [ * ], write : [ admin ]
owner = admin

View solution in original post

Reply
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎04-28-2010 03:13 PM

try setting a local.meta in the /app/splunk/etc/apps/search/metadata folder

http://www.splunk.com/base/Documentation/4.1.1/Developer/Step5SetPermissions

and

http://www.splunk.com/base/Documentation/4.1.1/Admin/Defaultmetaconf

will help.

I suspect the configuration would look like:

[<object_type>/<object_name>]
access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]
owner = <User_Name_in_Question>

for instance:

[savedsearches/Splunk%20errors%20last%2024%20hours]
access = read : [ admin ], write : [ admin ]
owner = jdoe

View solution in original post

Reply
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎04-28-2010 03:13 PM

try setting a local.meta in the /app/splunk/etc/apps/search/metadata folder

http://www.splunk.com/base/Documentation/4.1.1/Developer/Step5SetPermissions

and

http://www.splunk.com/base/Documentation/4.1.1/Admin/Defaultmetaconf

will help.

I suspect the configuration would look like:

[<object_type>/<object_name>]
access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]
owner = <User_Name_in_Question>

for instance:

[savedsearches/Splunk%20errors%20last%2024%20hours]
access = read : [ admin ], write : [ admin ]
owner = jdoe
Reply
Solved! Jump to solution

Hazel
Communicator
‎04-28-2010 03:36 PM

Thankyou, this is really helpful

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎04-15-2010 05:30 PM

When a user creates and schedules a saved search, that search gets created in some app context and ownership of this search is specified in the user's Splunk directory ($SPLUNK/etc/users///local/savedsearches.conf).

In the case stated here, you want to package a saved search with your app that already has an owner specified. If you just create a saved search and schedule it in the app, it'll run without an owner. Without an owner, the scheduled search is run via the splunk-system-user account which has its own quota limits.

In order to specify an owner, do the following:

Create the saved search in someapp/default/savedsearches.conf:

[Errors in the last 24 hours]
search = error OR failed OR severe "more search terms"
dispatch.earliest_time = -1d
...
etc.

Then you'll specify the owner per saved search in the someapp/metadata/default.meta file:

### SAVED SEARCHES

[savedsearches/Errors%20in%20the%20last%2024%20hours]
access = read : [ * ], write : [ admin ]
owner = admin
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...
Top