Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

savedsearch will not run via cron schedule but can be ran manually

GregSmith
Explorer
‎09-21-2023 07:20 AM
I am fighting with what I think is a knowledge object permission at the moment, but not 100% sure of this.
 
Context
I have 2 apps 
 1) mainapp with savedsearches, macros, dashboards, etc.
 2) mainapp_TA, containing most of the *.config files (props, transforms, etc.)
 
Based on the GUI Settings > pages, all ...
* savedsearches are all set to owner=nobody
* macros are set to owner= No Owner
* Sharing is set to App for everything
 
Issue
  • One of my 7 savedsearches will NOT run using a CRON schedule when the owner=nobody. The other savedsearches run just fine.
  • However, once I set owner=greg in /metadata/local.meta, the CRON schedule runs just fine.
    • Note: I tried setting owner to another user in our environment, and the the CRON would NOT run. So, somehow this savedsearch is tied to me and I am not sure how to "untie" it.
  • When the owner=nobody on this savedsearch, I can manually hit "run" from the Settings > Searches, Reports, and Alerts page and it works every time.
 
I cannot figure out WHY this savedsearch is special and requires me to be the owner.
 
I have to be missing something but not sure where to look now.
 
Any help is greatly appreciated.

Regards, Greg
Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-21-2023 10:15 AM

IMO, user Nobody should not be used.  All scheduled searches should be owned by a real user, even if it's a service account.  That means the user running the search would have a role that specifies what accesses and resources the search has. When a search runs manually, it takes on the role of the person running it (unless set to "run as owner").

Make sure the search in question has read access to all of the knowledge objects it needs.  IOW, each KO should be set to "Everyone" in the Read column (if using Nobody, that is; otherwise, set the permissions for the roles that need access).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

GregSmith
Explorer
‎09-21-2023 10:27 AM

Thank you. Will give it a try and let the forum know.

Greatly appreciate the response and path forward.

Regards, Greg

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...