Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

savedsearches.conf from git: Why are scheduled searches being skipped?

dcparker
Path Finder
‎10-22-2014 12:13 PM

Hey all,

I am trying a new way to manage some of our Splunk alerts by placing them in the app's repo in Git. With this, I have a jenkins job that copies this "app" (basically a savedsearches.conf) over and reloads it through the API. Everything is working great, except the scheduled searches are showing "skipped" and aren't emailing or anything. Here's an example of the log:

10-22-2014 14:01:10.254 -0500 INFO  SavedSplunker - savedsearch_id="nobody;alert-v2;this should email us", user="nobody", app="alert-v2", savedsearch_name="this should email us", status=skipped, scheduled_time=1414004340

I have a few theories...but I haven't been able to confirm them.

  1. I had the app hidden in the UI, would that cause this?
  2. does it matter if the user is nobody and the search has no owner? Is there a way to set that generically without having to update a metadata file in git each time a new search is added?

Any help is appreciated, thanks!

Reply

lmyrefelt
Builder
‎11-18-2014 07:30 AM

I would go for option 1

In most cases you dont have to think about the "nobody" user ...

0 Karma
Reply

lmyrefelt
Builder
‎11-21-2014 05:50 AM

Scratch that .. I have multiple "hidden" apps with scheduled /saved searches that are running ... i will have to pass on that one ... 😉

sorry

Nobody is just the user that "gets assigned" to objects withour any owner.

0 Karma
Reply

norbert_hamel
Communicator
‎11-18-2014 04:53 AM

The user=nobody shows up in the internal logs if there is no user defined in the local.meta file. The list of searches in Splunk web will then show "No Owner". I don't think that this will cause skipping the search.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...