Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

savedsearch will not run via cron schedule but can be ran manually

GregSmith
Explorer
‎09-21-2023 07:20 AM
I am fighting with what I think is a knowledge object permission at the moment, but not 100% sure of this.
 
Context
I have 2 apps 
 1) mainapp with savedsearches, macros, dashboards, etc.
 2) mainapp_TA, containing most of the *.config files (props, transforms, etc.)
 
Based on the GUI Settings > pages, all ...
* savedsearches are all set to owner=nobody
* macros are set to owner= No Owner
* Sharing is set to App for everything
 
Issue
  • One of my 7 savedsearches will NOT run using a CRON schedule when the owner=nobody. The other savedsearches run just fine.
  • However, once I set owner=greg in /metadata/local.meta, the CRON schedule runs just fine.
    • Note: I tried setting owner to another user in our environment, and the the CRON would NOT run. So, somehow this savedsearch is tied to me and I am not sure how to "untie" it.
  • When the owner=nobody on this savedsearch, I can manually hit "run" from the Settings > Searches, Reports, and Alerts page and it works every time.
 
I cannot figure out WHY this savedsearch is special and requires me to be the owner.
 
I have to be missing something but not sure where to look now.
 
Any help is greatly appreciated.

Regards, Greg
Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-21-2023 10:15 AM

IMO, user Nobody should not be used.  All scheduled searches should be owned by a real user, even if it's a service account.  That means the user running the search would have a role that specifies what accesses and resources the search has. When a search runs manually, it takes on the role of the person running it (unless set to "run as owner").

Make sure the search in question has read access to all of the knowledge objects it needs.  IOW, each KO should be set to "Everyone" in the Read column (if using Nobody, that is; otherwise, set the permissions for the roles that need access).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

GregSmith
Explorer
‎09-21-2023 10:27 AM

Thank you. Will give it a try and let the forum know.

Greatly appreciate the response and path forward.

Regards, Greg

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...