Reporting

Using a service account for scheduled searches

BrianAbbott
Explorer

Perhaps this has been asked and answered, forgive me if that is the case (and by all means, point me in that direction, please).

Is it a normal or at least a good practice to create a process by which scheduled searches (for reports and alerts) once approved for use in production, would then be reassigned to (owned by) what is in reality a service account?

If yes, then I suspect other questions come to mind, such as how to properly set up that service account.

I have an ES search head and a SH cluster. Most scheduled searches are on ES but many more are starting to go into the cluster. People come and people go, it seems like a good idea to reassign these to an account that is not user-centric once out of dev/test. I would very much appreciate any advice and examples that the the Splunk community may be able to offer.

Thank you.

0 Karma

BrianAbbott
Explorer

Perhaps this is well documented and I have missed it, but, I am not clear on how to set the correction permissions for a search that is owned by Nobody. Does that imply that permissions are set directly into each search?

I think that I prefer this option best so long as I can prevent any other non-admin from taking ownership and/or making any changes to the search or its schedule.

0 Karma

aromanauskas
Path Finder

There are 100 different ways to handle this process. Every splunk admin/shop has their own best practice though.

There is no need for the knowledge object to be owned by anybody. Once they are production you can just change the owner to Nobody, as long as you have good group level permissions. This way the department that is actually using the object can make changes and other departments don't.

But if you have a large number of different groups in the system to begin with you may actually want to setup local "app" for each group or finding reports/dashboards will quickly become a monumental task.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...