Probably a silly question, but can someone please advise what 'nobody' (under Owner column) next to a dashboard signifies in Splunk? If an artifact is created it reflects the owner's i.d. as configured in the 'Users' section generally, but there seem to be a lot of objects with 'nobody' as owner in our Splunk instance. What does that mean?
It means that the user that created the object is no longer a user in the authenticating system. If you create a local user, then login as that user, then create any knowledge object, then delete that user, then all of his KOs will switch to be owned by nobody
.
It means that the user that created the object is no longer a user in the authenticating system. If you create a local user, then login as that user, then create any knowledge object, then delete that user, then all of his KOs will switch to be owned by nobody
.
Thanks for the info @woodcock I have a bunch of these from folks who have copied apps in from other search heads. I was able to get the default owner set like below in metadata/local.meta and I see savedsearches.conf objects in UI no longer have the nobody owner next to them. Even after a restart of the search head, I still see the scheduler running these as nobody. So possibly I still have to set at the object level for the scheduler to use the new owner?
#metadata/local.meta
[]
owner = newowner
This only applies if your object does not already have an owner=
defined. In your case (actually, in every case where a knowledge object has been created or modified from the GUI), it already has it's own value so it will not inherit the default value that you have defined in local.meta
. The way that this works is, as an app developer (do not over-glorify app
; this just means a packaging of configuration files to be deployed together), I can dispense with putting an owner=newowner
line under every Knowledge Object definition and instead put owner=newowner
once inside of local.meta
. If Splunk does not find an owner=
line in the Knowledge Object definition stanza, it will use the one from local.meta
(if it exists).
Makes perfect sense. Many thanks for clarifying.