Security

How to specify an owner for pre-canned saved searches for app packaging?

the_wolverine
Champion

I've written a bunch of scheduled searches for a Splunk app. The searches appear as having no owner. How can I specify an owner for these scheduled searches?

In order to be able to control the quota for these searches, I need to assign an owner. Otherwise, the quota is that assigned to splunk-system-user.

I need to package the app so the configuration must exist within the app context.

2 Solutions

the_wolverine
Champion

When a user creates and schedules a saved search, that search gets created in some app context and ownership of this search is specified in the user's Splunk directory ($SPLUNK/etc/users///local/savedsearches.conf).

In the case stated here, you want to package a saved search with your app that already has an owner specified. If you just create a saved search and schedule it in the app, it'll run without an owner. Without an owner, the scheduled search is run via the splunk-system-user account which has its own quota limits.

In order to specify an owner, do the following:

Create the saved search in someapp/default/savedsearches.conf:

[Errors in the last 24 hours]
search = error OR failed OR severe "more search terms"
dispatch.earliest_time = -1d
...
etc.

Then you'll specify the owner per saved search in the someapp/metadata/default.meta file:

### SAVED SEARCHES

[savedsearches/Errors%20in%20the%20last%2024%20hours]
access = read : [ * ], write : [ admin ]
owner = admin

View solution in original post

muebel
SplunkTrust
SplunkTrust

try setting a local.meta in the /app/splunk/etc/apps/search/metadata folder

http://www.splunk.com/base/Documentation/4.1.1/Developer/Step5SetPermissions

and

http://www.splunk.com/base/Documentation/4.1.1/Admin/Defaultmetaconf

will help.

I suspect the configuration would look like:

[<object_type>/<object_name>]
access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]
owner = <User_Name_in_Question>

for instance:

[savedsearches/Splunk%20errors%20last%2024%20hours]
access = read : [ admin ], write : [ admin ]
owner = jdoe

View solution in original post

muebel
SplunkTrust
SplunkTrust

try setting a local.meta in the /app/splunk/etc/apps/search/metadata folder

http://www.splunk.com/base/Documentation/4.1.1/Developer/Step5SetPermissions

and

http://www.splunk.com/base/Documentation/4.1.1/Admin/Defaultmetaconf

will help.

I suspect the configuration would look like:

[<object_type>/<object_name>]
access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]
owner = <User_Name_in_Question>

for instance:

[savedsearches/Splunk%20errors%20last%2024%20hours]
access = read : [ admin ], write : [ admin ]
owner = jdoe

Hazel
Communicator

Thankyou, this is really helpful

0 Karma

the_wolverine
Champion

When a user creates and schedules a saved search, that search gets created in some app context and ownership of this search is specified in the user's Splunk directory ($SPLUNK/etc/users///local/savedsearches.conf).

In the case stated here, you want to package a saved search with your app that already has an owner specified. If you just create a saved search and schedule it in the app, it'll run without an owner. Without an owner, the scheduled search is run via the splunk-system-user account which has its own quota limits.

In order to specify an owner, do the following:

Create the saved search in someapp/default/savedsearches.conf:

[Errors in the last 24 hours]
search = error OR failed OR severe "more search terms"
dispatch.earliest_time = -1d
...
etc.

Then you'll specify the owner per saved search in the someapp/metadata/default.meta file:

### SAVED SEARCHES

[savedsearches/Errors%20in%20the%20last%2024%20hours]
access = read : [ * ], write : [ admin ]
owner = admin
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...