I believe that if ownership is nobody
, it runs as role splunk-system-user
, and splunk-system-user
Inherits role admin
, so it runs as admin
.
Of course, if savedsearches contain knowledge objects(*macro, eventtype, lookup table etc...) that are private permittion of other user, it will be fail.
But in other cases, is my understanding that there is no particular influence is correct?
HI,
I can´t find it anymore, but I once read that searches running as nobody will have a lower priority for the scheduler.
But since nobody is often applied as user for e.g. apps, when they get installed, I don´t see any reason to change this. Never had any bad experience with user nobody.