Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

savedsearches.conf from git: Why are scheduled searches being skipped?

dcparker
Path Finder
‎10-22-2014 12:13 PM

Hey all,

I am trying a new way to manage some of our Splunk alerts by placing them in the app's repo in Git. With this, I have a jenkins job that copies this "app" (basically a savedsearches.conf) over and reloads it through the API. Everything is working great, except the scheduled searches are showing "skipped" and aren't emailing or anything. Here's an example of the log:

10-22-2014 14:01:10.254 -0500 INFO  SavedSplunker - savedsearch_id="nobody;alert-v2;this should email us", user="nobody", app="alert-v2", savedsearch_name="this should email us", status=skipped, scheduled_time=1414004340

I have a few theories...but I haven't been able to confirm them.

  1. I had the app hidden in the UI, would that cause this?
  2. does it matter if the user is nobody and the search has no owner? Is there a way to set that generically without having to update a metadata file in git each time a new search is added?

Any help is appreciated, thanks!

Reply

lmyrefelt
Builder
‎11-18-2014 07:30 AM

I would go for option 1

In most cases you dont have to think about the "nobody" user ...

0 Karma
Reply

lmyrefelt
Builder
‎11-21-2014 05:50 AM

Scratch that .. I have multiple "hidden" apps with scheduled /saved searches that are running ... i will have to pass on that one ... 😉

sorry

Nobody is just the user that "gets assigned" to objects withour any owner.

0 Karma
Reply

norbert_hamel
Communicator
‎11-18-2014 04:53 AM

The user=nobody shows up in the internal logs if there is no user defined in the local.meta file. The list of searches in Splunk web will then show "No Owner". I don't think that this will cause skipping the search.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...