I have several saved searches and reports that are not working. When I view them in the searches and reports page it says they have no owner. How can I assign an owner to these searches and reports? Do all of the searches and reports need to have an owner in order to work?
We recently restored the entire system from a backup and ever since then none of our dashboards or save reports are working.
Here is an example of a search that used to work but now it returns no results.
index=cisco eventtype=cisco_firewall | top src_ip showperc=f
Welcome.
They don't need an owner to function correctly.
Do you get any results when you manually run the searches? It sounds like it could be an index issue if you aren't getting any results but no errors. When you restored the backup how did you go about it?
ah, have you verified your eventtypes have come across ok? These are usually user specific and could have been lost in the move over
Yes when I run that command it does list the CISCO index and paths. I have also verified that all the paths are valid.
is the index "cisco" displayed when you run the command, ./splunk list index - run this from the /opt/splunk/bin directory (assuming you installed to the default location)
I have updated my question with an example search.
could you post the searches? Preferably if you update your question with them and then select them in "code block" to format them nicely. Do you have any event data in the new setup?
I do not get any results when I run the searches. Directories restored in the backup were..
/var
/opt/splunk