From the scheduler log:
If the permission of the Alert has been created as shared App or Globally, the scheduler fires the Alert as below:
[INFO SavedSplunker - savedsearch_id="nobody;search;your_alert_name“, search_type="scheduled", user="admin", app="search", savedsearch_name="your_alert_name"]
Then you will note that savedsearch_id="nobody;search;your_alert_name” does not match the user="admin", app="search", savedsearch_name=“your_alert_name”, here the specific user is "admin" vs "nobody"
In that case, you need to create the Alert as Private Or need to change the owner to "nobody" in local.meta manually if it’s created as App or Globally shared,
E.g under $SPLUNK_HOME/etc/apps/search/metadata/local.meta
From
[savedsearches/your_alert]
owner = admin
To
[savedsearches/your_alert]
owner = nobody
Then check whether the owner has been changed for the alert by clicking "Settings" -> "Searches, Reports, and Alerts" and check "Owner" field for the alert.
Hope it helps
... View more