topic Re: Why are we getting alerts for a disabled user? in Splunk Enterprise

Why are we getting alerts for a disabled user?

Mohanveera1 — Mon, 28 Mar 2022 07:37:39 GMT

Hi there,

One of my colleague having admin access has created a dashboard for audit to know that who logged into Splunk and how many times does the user login into Splunk for the last 7 days for all the users. One of the users left the organization in January and we deleted the account with admin login and transferred all the knowledge objects to the other user also but Now we are seeing his name in the dashboard and alerts were triggering on his name also. We have again checked the user list but his name was not available, but we are still seeing his name in the alerts and dashboard. Can anyone help me with it…

the search query used for creating the dashboard is

index=_internal sourcetype=splunkd_access | timechart span=6h count by user

The Raw Event displaying while searching the query is:

127.0.0.1 - name of the user* [28/Mar/2022:05:28:17.505 +0000] "POST /servicesNS/nobody/search/saved/searches/Single%20User%20Failed%20Attempt/notify?trigger.condition_state=1 HTTP/1.1" 200 1933 "-" "Splunk/8.1.0 (Linux 4.15.0-1023-azure; arch=x86_64)" - 2ms

Please help me to resolve it and thanks in advance......

Re: Why are we getting alerts for a disabled user?

dhirendra761 — Mon, 28 Mar 2022 11:08:06 GMT

Hi @Mohanveera1

Go To setting
Server Setting (under System)
Click on Email settings
Check value for "Send emails as" (under Email Format)

You can also disable Alert by doing this:

Setting -> Searches, reports, and alerts -> <Search alert> -> under ACTION tab -> disable

Re: Why are we getting alerts for a disabled user?

Mohanveera1 — Mon, 28 Mar 2022 12:07:36 GMT

hi @dhirendra761

Thank you for responding to my query. As per your instruction, i have checked the Send emails as in Email Settings, and previously we have set a mail id i.e *****@***. For every alerts that is triggered we have given the triggered action as send mail to the receipts. so if an alert triggers we will receive the mail from mail address *****@*** . if i remove the Send emails as (Value) from the Email settings then we cannot receive the mail. And in the Send emails as (value) in Email Settings also the mail id is not the user that left the organization its other mail id and there is no relation between these two.

And Next step is to disable the alert, i have reassigned all the knowledge objects of the user that left the organization to my name. And there is no alert on his name to disable it also....

Please help me to get it resolved, Thanks in advance...

Re: Why are we getting alerts for a disabled user?

dhirendra761 — Mon, 28 Mar 2022 12:26:14 GMT

@Mohanveera1

What do you want exactly with alert?

Re: Why are we getting alerts for a disabled user?

dhirendra761 — Mon, 28 Mar 2022 12:31:01 GMT

@Mohanveera1

if you don't want to see his name in the dashboard then change in

<SPLUNK_HOME>/etc/apps/<APP_NAME>/default/data/ui/views/*.xml

and if you don't want to see alerts were triggering on his name then change in :

savedsearches.conf

<SPLUNK_HOME>/etc/apps/<APP_NAME>/default/savedsearches.conf

That's it.