Splunk Enterprise

Is it possible to have alerts and reports assigned to nobody as owner?

Gregski11
Contributor

would there ever be a scenario where its acceptable to have enabled alerts and or reports running which are not assigned to anybody ie owner = Nobody

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, it is possible to have alerts and reports owned by 'nobody', but I don't know why you'd want to do that.  User 'nobody' uses default settings, which may not be correct for the use case.  IMO, it's better to assign alerts and reports to a service account with a role that has the resources needed to run  those alerts and reports.

---
If this reply helps you, Karma would be appreciated.

Gregski11
Contributor

thank you Rich for taking the time to comment, I agree with you however please check your own config as what I see is that Splunk runs it's own apps as Nobody, for example these:

Splunk_Security_Essentials

SplunkAppForWebAnalytics

Splunk_ML_Toolkit

Splunk_TA_microsoft-cloudservices

Splunk_TA_microsoft-sqlserver

splunk_instrumentation

search

splunk_monitoring_console

sideview_utils

simple_xml_examples

splunk_archiver

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I understand the use of Nobody is commonplace, but that doesn't mean it's a good idea or that I agree with it.

---
If this reply helps you, Karma would be appreciated.

isoutamo
SplunkTrust
SplunkTrust

Here is explanation what nobody actually means https://community.splunk.com/t5/All-Apps-and-Add-ons/Disambiguation-of-the-meaning-of-quot-nobody-qu...

Based on that, you should always use valid user to own those KOs. User could be a real user or service user depending on your needs.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...