Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

The saved searches & Reports created by user "nobody" are they default or pre-created at Splunk install?

SamHTexas
Builder
‎06-18-2021 01:27 PM

Should I review & change the user name to admin? And how do I deal with "Concurrency of scheduled reports" ? I have a few under this list. How do I edit the timing of these reports or such searches? Thank u in advance?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎06-19-2021 02:03 AM

The nobody user means that there is no owner assigned to the object.

For example an app that includes reports in savedsearches.conf and doesn't include metadata with owner info...which is normal.

The search runs as splunk-system-user so it has admin like access 

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply

SamHTexas
Builder
‎06-21-2021 11:09 AM

Thank u for your response. How do I find out what the object is? Should this "no body" ownership be changes or leave it the way it is please? Thanks again.

Tags (1)
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎06-21-2021 05:51 PM

Settings -> All Configurations -> filter to owner of "No owner"

Or in various other places such as Settings -> Searches, reports, Alerts

Look for the owner of "nobody"

As mentioned they will run as splunk-system-user which uses the splunk-system-role, the role will be visible in Splunk but the user is hidden...

 

Personally I see no reason to change this from the nobody user *unless* you have a requirement to control quota and do not want to modify the splunk-sytem-role quotas...

In my environment I have not re-owned the nobody searches to an owner

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...