Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to specify an owner for pre-canned saved searches for app packaging?

the_wolverine
Champion
‎04-15-2010 04:22 PM

I've written a bunch of scheduled searches for a Splunk app. The searches appear as having no owner. How can I specify an owner for these scheduled searches?

In order to be able to control the quota for these searches, I need to assign an owner. Otherwise, the quota is that assigned to splunk-system-user.

I need to package the app so the configuration must exist within the app context.

Reply
2 Solutions
Solved! Jump to solution
Solution

the_wolverine
Champion
‎04-15-2010 05:30 PM

When a user creates and schedules a saved search, that search gets created in some app context and ownership of this search is specified in the user's Splunk directory ($SPLUNK/etc/users///local/savedsearches.conf).

In the case stated here, you want to package a saved search with your app that already has an owner specified. If you just create a saved search and schedule it in the app, it'll run without an owner. Without an owner, the scheduled search is run via the splunk-system-user account which has its own quota limits.

In order to specify an owner, do the following:

Create the saved search in someapp/default/savedsearches.conf:

[Errors in the last 24 hours]
search = error OR failed OR severe "more search terms"
dispatch.earliest_time = -1d
...
etc.

Then you'll specify the owner per saved search in the someapp/metadata/default.meta file:

### SAVED SEARCHES

[savedsearches/Errors%20in%20the%20last%2024%20hours]
access = read : [ * ], write : [ admin ]
owner = admin

View solution in original post

Reply
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎04-28-2010 03:13 PM

try setting a local.meta in the /app/splunk/etc/apps/search/metadata folder

http://www.splunk.com/base/Documentation/4.1.1/Developer/Step5SetPermissions

and

http://www.splunk.com/base/Documentation/4.1.1/Admin/Defaultmetaconf

will help.

I suspect the configuration would look like:

[<object_type>/<object_name>]
access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]
owner = <User_Name_in_Question>

for instance:

[savedsearches/Splunk%20errors%20last%2024%20hours]
access = read : [ admin ], write : [ admin ]
owner = jdoe

View solution in original post

Reply
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎04-28-2010 03:13 PM

try setting a local.meta in the /app/splunk/etc/apps/search/metadata folder

http://www.splunk.com/base/Documentation/4.1.1/Developer/Step5SetPermissions

and

http://www.splunk.com/base/Documentation/4.1.1/Admin/Defaultmetaconf

will help.

I suspect the configuration would look like:

[<object_type>/<object_name>]
access = read : [ <comma-separated list of roles>], write : [ comma-separated list of roles>]
owner = <User_Name_in_Question>

for instance:

[savedsearches/Splunk%20errors%20last%2024%20hours]
access = read : [ admin ], write : [ admin ]
owner = jdoe
Reply
Solved! Jump to solution

Hazel
Communicator
‎04-28-2010 03:36 PM

Thankyou, this is really helpful

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎04-15-2010 05:30 PM

When a user creates and schedules a saved search, that search gets created in some app context and ownership of this search is specified in the user's Splunk directory ($SPLUNK/etc/users///local/savedsearches.conf).

In the case stated here, you want to package a saved search with your app that already has an owner specified. If you just create a saved search and schedule it in the app, it'll run without an owner. Without an owner, the scheduled search is run via the splunk-system-user account which has its own quota limits.

In order to specify an owner, do the following:

Create the saved search in someapp/default/savedsearches.conf:

[Errors in the last 24 hours]
search = error OR failed OR severe "more search terms"
dispatch.earliest_time = -1d
...
etc.

Then you'll specify the owner per saved search in the someapp/metadata/default.meta file:

### SAVED SEARCHES

[savedsearches/Errors%20in%20the%20last%2024%20hours]
access = read : [ * ], write : [ admin ]
owner = admin
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...