Splunk Search

What does it mean? user=tommyjones is not allowed to run historical scheduled search, skipping savedsearch_id="tommyjones;…"


I'm seeing this in the scheduler log and would like to know what it means and what causes it. This user can certainly run scheduled searches, so confused about this.

0 Karma

Path Finder

add schedule_search=enable in your authorize.conf under the role your id belong to and restart the server. It should work.


Ensure that the User (or the role assigned to user) has capability 'schedule_search'. Or verify access permission on the schedule search which is failing.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...