Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can service account be used as owner of Knowledge objects in Splunk?

msatish
Path Finder
‎04-03-2025 01:17 AM

Can service account be used as owner of knowledge objects(saved searches, transforms-lookups, props-extracts, macros, and views)?Please share pros and cons.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎04-03-2025 09:22 AM

Yes you can use service user for own KOs and e.g. run those with schedules. Actually I prefer this way if possible. Probably most important thing is that usually service users don’t leave company. When normal user leave and he/she have scheduled searches, alerts etc those doesn’t work after user has removed or his/her roles are removed. Another advantage is that you could add some capabilities which you want give to normal user or those could have more resources. This also means that alerts etc don’t use user quota etc.

A negative thing is that when no one owns those KOs there could be lot of unnecessary and unused KOs and even some scheduled alerts, reports etc. running for long time and using resources.

Anyhow I see that there are more advantages to use those than avoiding those. Usually I prefer to use several service users with different integrated source systems and with different roles assigned to those svc users.

View solution in original post

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎04-03-2025 09:22 AM

Yes you can use service user for own KOs and e.g. run those with schedules. Actually I prefer this way if possible. Probably most important thing is that usually service users don’t leave company. When normal user leave and he/she have scheduled searches, alerts etc those doesn’t work after user has removed or his/her roles are removed. Another advantage is that you could add some capabilities which you want give to normal user or those could have more resources. This also means that alerts etc don’t use user quota etc.

A negative thing is that when no one owns those KOs there could be lot of unnecessary and unused KOs and even some scheduled alerts, reports etc. running for long time and using resources.

Anyhow I see that there are more advantages to use those than avoiding those. Usually I prefer to use several service users with different integrated source systems and with different roles assigned to those svc users.

Reply
Solved! Jump to solution

msatish
Path Finder
‎04-03-2025 11:34 PM

@isoutamo Thanks for sharing your insights, this is helpful.

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-03-2025 01:39 AM

Hi @msatish 

Yes - A service account can be used in the same way any other user, infact I always recommend that knowledge objects *should* be owned by a service account because otherwise if owned by a user which leaves the organisation then the knowledge objects could become orphaned - or they could accidentally be deleted.

If using SAML (for example) with Authentication Extensions enabled then users will be automatically updated based on groups/roles in the Identity Provider - so if they leave their account will be deleted. If they move teams then they may have more/less permissions than they used to.

 

🌟 Did this answer help you? If so, please consider:

  • Adding kudos to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Reply
Solved! Jump to solution

msatish
Path Finder
‎04-03-2025 11:35 PM

@livehybrid Thanks for sharing your insights, this is helpful.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...