Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

savedsearch will not run via cron schedule but can be ran manually

GregSmith
Explorer
‎09-21-2023 07:20 AM
I am fighting with what I think is a knowledge object permission at the moment, but not 100% sure of this.
 
Context
I have 2 apps 
 1) mainapp with savedsearches, macros, dashboards, etc.
 2) mainapp_TA, containing most of the *.config files (props, transforms, etc.)
 
Based on the GUI Settings > pages, all ...
* savedsearches are all set to owner=nobody
* macros are set to owner= No Owner
* Sharing is set to App for everything
 
Issue
  • One of my 7 savedsearches will NOT run using a CRON schedule when the owner=nobody. The other savedsearches run just fine.
  • However, once I set owner=greg in /metadata/local.meta, the CRON schedule runs just fine.
    • Note: I tried setting owner to another user in our environment, and the the CRON would NOT run. So, somehow this savedsearch is tied to me and I am not sure how to "untie" it.
  • When the owner=nobody on this savedsearch, I can manually hit "run" from the Settings > Searches, Reports, and Alerts page and it works every time.
 
I cannot figure out WHY this savedsearch is special and requires me to be the owner.
 
I have to be missing something but not sure where to look now.
 
Any help is greatly appreciated.

Regards, Greg
Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-21-2023 10:15 AM

IMO, user Nobody should not be used.  All scheduled searches should be owned by a real user, even if it's a service account.  That means the user running the search would have a role that specifies what accesses and resources the search has. When a search runs manually, it takes on the role of the person running it (unless set to "run as owner").

Make sure the search in question has read access to all of the knowledge objects it needs.  IOW, each KO should be set to "Everyone" in the Read column (if using Nobody, that is; otherwise, set the permissions for the roles that need access).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

GregSmith
Explorer
‎09-21-2023 10:27 AM

Thank you. Will give it a try and let the forum know.

Greatly appreciate the response and path forward.

Regards, Greg

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...