Monitoring Splunk

The saved searches & Reports created by user "nobody" are they default or pre-created at Splunk install?

SamHTexas
Builder

Should I review & change the user name to admin? And how do I deal with "Concurrency of scheduled reports" ? I have a few under this list. How do I edit the timing of these reports or such searches? Thank u in advance?

Labels (1)
Tags (1)
0 Karma

gjanders
SplunkTrust
SplunkTrust

The nobody user means that there is no owner assigned to the object.

For example an app that includes reports in savedsearches.conf and doesn't include metadata with owner info...which is normal.

The search runs as splunk-system-user so it has admin like access 

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/

SamHTexas
Builder

Thank u for your response. How do I find out what the object is? Should this "no body" ownership be changes or leave it the way it is please? Thanks again.

Tags (1)
0 Karma

gjanders
SplunkTrust
SplunkTrust

Settings -> All Configurations -> filter to owner of "No owner"

Or in various other places such as Settings -> Searches, reports, Alerts

Look for the owner of "nobody"

As mentioned they will run as splunk-system-user which uses the splunk-system-role, the role will be visible in Splunk but the user is hidden...

 

Personally I see no reason to change this from the nobody user *unless* you have a requirement to control quota and do not want to modify the splunk-sytem-role quotas...

In my environment I have not re-owned the nobody searches to an owner

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!