Splunk searches from deleted users

rgtsplunk — Wed, 17 Oct 2012 21:19:25 GMT

We can see in our splunkd.log that is showing the following errors:

UserManagerPro - Failed to get LDAP user="xxx" from any configured servers
AuthenticationManagerLDAP - user="xxx" has matching LDAP groups with strategy="yyyy", but none are mapped to Splunk roles

We also get some error messages with 'user="splunk"', but have no user splunk. They are not the same as those run by splunk-system-user.

These users were removed, and should not be running searches. Yet these messages are consistently being reported. We would like to know what searches they apply to, so we can disable the searches, or move them to another user. But the message does not say what searches are running, nor give us any information to go on. Any ideas?

Richard Thomsen

Re: Splunk searches from deleted users

piebob — Fri, 21 Dec 2012 21:55:41 GMT

you're most likely seeing saved searches created by these users that are run on a schedule. to see the owners of saved searches, you can look in Manager > Searches and reports.

once there, you can use the search box on the right to look for those usernames, or filter by app.

to change the owner of a search defined in $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf, edit the ownership and permissions defined in etc/apps/search/metadata/local.meta. you'll need to substitute the app name of any app you're working on for 'search'

you will have to restart splunk to see the change.

topic Splunk searches from deleted users in Security

Splunk searches from deleted users

Re: Splunk searches from deleted users