Splunk Enterprise

Why doesn't Report scheduling work properly?

PickleRick
SplunkTrust
SplunkTrust

I'm bemused with Splunk again (otherwise I wouldn't be posting here ;-)).

But seriously - I have an indexer cluster and two separate searchhead clusters connected with that indexer cluster. One shcluster has ES installed, one doesn't.

Everything seems to be working relatively OK.

I have a "temporary" index into which I ingest some events from which I prepare a lookup by means of a report containing some search ending with | outputlookup.

And that also works OK.

Mostly.

Because it used to work on an "old" shcluster (the one with ES). And it still does.

But due to the fact that we have a new shcluster (the one without ES) and of course lookups are not shared between different shclusters, I defined a report on the new cluster as well.

And here's where the fun starts.

The report is defined and works great when run manually. But I cannot schedule it. I open the "Edit Schedule" dialog, i fill in all the necessary fields, I save the settings... and the dialog closes but nothing happens. If I open the "Edit Schedule" dialog again, the report is still not scheduled.

To make things more interesting, I see entries in conf.log but they do show:

      payload: { -
       children: { -
         action.email.show_password: { +
         }
         dispatch.earliest_time: { +
         }
         dispatch.latest_time: { +
         }
         schedule_window: { -
           value: 15
         }
         search: { +
         }
       }
      value:
}
 

So there are _some_ schedule-related parameters (and yes - if I verify them in etc/users/admin/search/local/savedsearches.conf they are there)

dispatch.earliest_time = -24h@h
dispatch.latest_time = now
schedule_window = 15

 But there is no dispatch schedule being applied nor is the schedule enabled at all (the enableSched value is not pushed with the confOp apparently).

So I'm stuck. I can of course manually edit the savedsearches.conf for my user but that's not the point.

The version is 8.2.6.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. I'm more and more puzzled.

I logged in today and it seems I was able to change the schedule to enabled state and the report did show the schedule but splunk wasn't showing Next Scheduled Time.

So I decided to delete the report altogether and re-create it from scratch. It went relatively well - I created the report, configured the schedule and Next Scheduled Time showed up. Yay!

Then I changed the permissions for the report from Private go Global. And added R/W permissions for admin user and R permissions for one other role. Next Scheduled Time changed to none. w00t?

OK, after some fiddling with permissions it seems that scheduling gets "disabled" if I assign R permission to any role without assigning W permission.

Is there something I don't understand here? I thought R permission in case of reports was for a user to be able to run/see the report and W was so that the user can modify it. Did I misunderstand something (or didn't read the docs thoroughly enough ;-))?

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...