Splunk Search

savedsearch will not run via cron schedule but can be ran manually

GregSmith
Explorer
I am fighting with what I think is a knowledge object permission at the moment, but not 100% sure of this.
 
Context
I have 2 apps 
 1) mainapp with savedsearches, macros, dashboards, etc.
 2) mainapp_TA, containing most of the *.config files (props, transforms, etc.)
 
Based on the GUI Settings > pages, all ...
* savedsearches are all set to owner=nobody
* macros are set to owner= No Owner
* Sharing is set to App for everything
 
Issue
  • One of my 7 savedsearches will NOT run using a CRON schedule when the owner=nobody. The other savedsearches run just fine.
  • However, once I set owner=greg in /metadata/local.meta, the CRON schedule runs just fine.
    • Note: I tried setting owner to another user in our environment, and the the CRON would NOT run. So, somehow this savedsearch is tied to me and I am not sure how to "untie" it.
  • When the owner=nobody on this savedsearch, I can manually hit "run" from the Settings > Searches, Reports, and Alerts page and it works every time.
 
I cannot figure out WHY this savedsearch is special and requires me to be the owner.
 
I have to be missing something but not sure where to look now.
 
Any help is greatly appreciated.

Regards, Greg
Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

IMO, user Nobody should not be used.  All scheduled searches should be owned by a real user, even if it's a service account.  That means the user running the search would have a role that specifies what accesses and resources the search has. When a search runs manually, it takes on the role of the person running it (unless set to "run as owner").

Make sure the search in question has read access to all of the knowledge objects it needs.  IOW, each KO should be set to "Everyone" in the Read column (if using Nobody, that is; otherwise, set the permissions for the roles that need access).

---
If this reply helps you, Karma would be appreciated.
0 Karma

GregSmith
Explorer

Thank you. Will give it a try and let the forum know.

Greatly appreciate the response and path forward.

Regards, Greg

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...