Splunk Enterprise

In handler 'savedsearch': Data could not be written: /nobody/search/savedsearches/SplunkOnlyAlert/search: host="usoms0090" while changing permissions for an alert

skladstrup
New Member

We just stood up a new Splunk Light instance, version 7.2.0. I created a search and then saved it as an alert. When I try to change it to anything aside from private, I get the following error message:

In handler 'savedsearch': Data could not be written:
/nobody/search/savedsearches/SplunkOnlyAlert/search:
host="usoms0090"

The host is the same as the Splunk instance itself.

Any suggestions on how to fix this issue?

Labels (1)
Tags (1)
0 Karma

_Tom
Explorer

This might be caused by files which are not owned by the splunk user. 
For instance, if this applies to local.meta, you will get an error that metadata can not be written.

0 Karma

tusharbalar
Engager

when I change permission to Private, It works for me. Don't know why.
Hope It will help you.

alt text

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...