Searches and reports show no owner...

jgruwell · ‎12-05-2011

I have several saved searches and reports that are not working. When I view them in the searches and reports page it says they have no owner. How can I assign an owner to these searches and reports? Do all of the searches and reports need to have an owner in order to work?

We recently restored the entire system from a backup and ever since then none of our dashboards or save reports are working.

Here is an example of a search that used to work but now it returns no results.
index=cisco eventtype=cisco_firewall | top src_ip showperc=f

Drainy · ‎12-05-2011

Welcome.
They don't need an owner to function correctly.
Do you get any results when you manually run the searches? It sounds like it could be an index issue if you aren't getting any results but no errors. When you restored the backup how did you go about it?

Drainy · ‎12-10-2011

ah, have you verified your eventtypes have come across ok? These are usually user specific and could have been lost in the move over

jgruwell · ‎12-06-2011

Yes when I run that command it does list the CISCO index and paths. I have also verified that all the paths are valid.

Drainy · ‎12-06-2011

is the index "cisco" displayed when you run the command, ./splunk list index - run this from the /opt/splunk/bin directory (assuming you installed to the default location)

jgruwell · ‎12-05-2011

I have updated my question with an example search.

Drainy · ‎12-05-2011

could you post the searches? Preferably if you update your question with them and then select them in "code block" to format them nicely. Do you have any event data in the new setup?

jgruwell · ‎12-05-2011

I do not get any results when I run the searches. Directories restored in the backup were..

/var
/opt/splunk

Searches and reports show no owner...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor