Monitoring Splunk

The saved searches & Reports created by user "nobody" are they default or pre-created at Splunk install?

SamHTexas
Builder

Should I review & change the user name to admin? And how do I deal with "Concurrency of scheduled reports" ? I have a few under this list. How do I edit the timing of these reports or such searches? Thank u in advance?

Labels (1)
Tags (1)
0 Karma

gjanders
SplunkTrust
SplunkTrust

The nobody user means that there is no owner assigned to the object.

For example an app that includes reports in savedsearches.conf and doesn't include metadata with owner info...which is normal.

The search runs as splunk-system-user so it has admin like access 

SamHTexas
Builder

Thank u for your response. How do I find out what the object is? Should this "no body" ownership be changes or leave it the way it is please? Thanks again.

Tags (1)
0 Karma

gjanders
SplunkTrust
SplunkTrust

Settings -> All Configurations -> filter to owner of "No owner"

Or in various other places such as Settings -> Searches, reports, Alerts

Look for the owner of "nobody"

As mentioned they will run as splunk-system-user which uses the splunk-system-role, the role will be visible in Splunk but the user is hidden...

 

Personally I see no reason to change this from the nobody user *unless* you have a requirement to control quota and do not want to modify the splunk-sytem-role quotas...

In my environment I have not re-owned the nobody searches to an owner

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...