https://community.splunk.com/t5/Monitoring-Splunk/How-to-clear-orphan-scheduled-searches-that-you-cannot-find/m-p/625023#M9264 <P>I don't know if this is the correct method, but it seems to have worked.</P><P>Using "find" command, I found the scheduled search under the /opt/splunk/etc/users/&lt;user-name&gt;/&lt;app-name&gt;&nbsp; in savedsearches.conf.&nbsp; Then&nbsp;I went in to each shc node and disabled it, then did a rolling restart.</P><P>&nbsp;</P><P>&nbsp;</P><P>Interestingly, under /opt/splunk/etc/users/&lt;user-name&gt;/&lt;app-name&gt;/metadata &gt;in local.meta there was nothing for the owner, completely missing... but the search name was in there.&nbsp; &nbsp;I have no idea how the shc got this way, but would really like to know, if anyone can explain.</P><P>&nbsp;</P><P>Thank you</P><P>&nbsp;</P> Wed, 21 Dec 2022 22:37:34 GMT Glasses2 2022-12-21T22:37:34Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-clear-orphan-scheduled-searches-that-you-cannot-find/m-p/624476#M9251 <P>Hi,</P><P>I have an annoying alert that is firing whenever 2 orphaned searches run on their cron schedule.</P><P>I have reassigned orphaned searches in that past without issue but these two searches I cannot find in the all configs to reassign.&nbsp; &nbsp; I can find the orphaned searches with the following query&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0 | search orphan=1 disabled=0 is_scheduled=1 | eval status = if(disabled = 0, "enabled", "disabled") | fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions | rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>When I go to settings &gt; All configurations, set the search to All apps and owners, I cannot find the searches....</P><P>When I go to settings &gt; All configs &gt; Reassign KO &gt; Orphaned, select to search all, (although there are loads of orphaned objects)&nbsp; I cannot find these 2 searches causing the alerts.</P><P>When I look on the shc cluster nodes in the /opt/splunk/etc/apps/&lt;app_name&gt;, I cannot find them either.....&nbsp; &nbsp;However the MC health check says the orphaned objects are on all 3 of the shc nodes.</P><P>I should also mention when I try to reassign other visible objects for these specific owners, it throws an error...</P><P>"<SPAN>Could not find object..."</SPAN></P><P>Any advice greatly appreciated.</P><P>Thank you</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 15 Dec 2022 23:22:33 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-clear-orphan-scheduled-searches-that-you-cannot-find/m-p/624476#M9251 Glasses2 2022-12-15T23:22:33Z https://community.splunk.com/t5/Monitoring-Splunk/How-to-clear-orphan-scheduled-searches-that-you-cannot-find/m-p/625023#M9264 <P>I don't know if this is the correct method, but it seems to have worked.</P><P>Using "find" command, I found the scheduled search under the /opt/splunk/etc/users/&lt;user-name&gt;/&lt;app-name&gt;&nbsp; in savedsearches.conf.&nbsp; Then&nbsp;I went in to each shc node and disabled it, then did a rolling restart.</P><P>&nbsp;</P><P>&nbsp;</P><P>Interestingly, under /opt/splunk/etc/users/&lt;user-name&gt;/&lt;app-name&gt;/metadata &gt;in local.meta there was nothing for the owner, completely missing... but the search name was in there.&nbsp; &nbsp;I have no idea how the shc got this way, but would really like to know, if anyone can explain.</P><P>&nbsp;</P><P>Thank you</P><P>&nbsp;</P> Wed, 21 Dec 2022 22:37:34 GMT https://community.splunk.com/t5/Monitoring-Splunk/How-to-clear-orphan-scheduled-searches-that-you-cannot-find/m-p/625023#M9264 Glasses2 2022-12-21T22:37:34Z