Hi,
I have found that there are a lot of knowledge objects in a particular app, which is a custom app and not a default Splunk app. And has some of the knowledge objects set to No owner
.
Whats does it exactly mean ?.
Was it placed in the backend by someone instead of creating it through the UI ??
Thanks
It the user that created it is deleted from the system, then Splunk will orphan the object and it will show as being owned by nobody
. Ownership of knowledge objects is detailed inside of the local.meta
file. It is possible that somebody has stripped all of the ownership details from that file:
https://docs.splunk.com/Documentation/Splunk/latest/Security/Addmanagementaccesstocustomroles#How_to...
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Apparchitectureandobjectownership
We do this deliberately.
When you create any knowledge artifact from Splunk Web UI OR CLI OR RESTful API, the object is created with owner as Splunk user for that method (logged in user in Splunk Web OR user credentials passed through CLI and RESTful API call). When you first create an artifacts, it's privately owned (unless you selected option "Shared within App" while creating it. All private objects reside in $SPLUNK_HOME/etc/users/<username>/<appname>
directories and will show owner as the <username>
.
When you share the artifacts at App Level or Global context, the artifact is moved to $SPLUNK_HOME/etc/apps/<appname>
directory. It'll also have a local.meta entry in the $SPLUNK_HOME/etc/apps/<appname>/metadata
directory which will defines artifacts sharing permissions and ownership details.
e.g.
[savedsearches/Splunk%20errors%20last%2024%20hours]
access = read : [ admin ], write : [ admin ]
owner = somesoni2
export = system
These .meta entries are created automatically when you use Splunk Web UI OR CLI OR RESTful API. But you may also add/update these entries manually from file system OR get it deployed via deployment server or cluster deployers/masters.
Based on type of artifacts, they run within the quota of it's owner (e.g. alerts and reports)
Now, when a user is removed from Splunk (either moves to different team or company), then all artifacts ownen by him becomes orphaned. They'll still show that user as owner. So, if you can't find a new owner for those artifacts, then you can assign "nobody" (or "No Owner" as shown in UI) as new owner.
The nobody
or "No owner" is a in-build splunk system user which has fixed quotas and roles. You use this user (to own stuffs) when some knowledge objects are created for system-wide use and doesn't owned/limited for specific set of users (e.g. any apps that you download from Splunk app base, or artifacts available in built-in Splunk apps).
So, when an artifact has it's owner as nobody
it runs with quota of nobody
system user. This is also the default owner when there is no owner specified (e.g. you created a search in $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf file by directly editing it), they're owned by nobody.
This would be a good read: http://dev.splunk.com/view/webframework-developapps/SP-CAAAE88
What is the difference between No owner
and nobody
??
nobody are the apps which are created/pushed by management servers on splunk.
No-owner means the user who created those knowledge objects no longer exists in the system.
I might be wrong here, but in earlier versions of splunk owner = nobody
could actually be used and savedsearches would still run. When a search has no owner however, the search will not continue to run on its schedule. Those knowledge objects should be reassigned. Take a look at the corresponding docs.
Skalli