topic Re: How can we migrate our alerts to generic accounts? in Alerting

How can we migrate our alerts to generic accounts?

danielbb — Mon, 29 Jul 2019 20:34:18 GMT

We were instructed that our teams will need to migrate the alerts from individual accounts to generic ones as any employee can leave at any point.

What's the process of migrating the alerts?

Re: How can we migrate our alerts to generic accounts?

jacobpevans — Mon, 29 Jul 2019 20:52:53 GMT

Howdy Daniel,

I assume you are referring to the "owner" field of the alert. If so, you can update it in the local.meta file located in $SPLUNK_HOME\etc\apps\[app]\metadata. If you delete the entire owner = [admin] line, the owner will display as nobody through the web app. All other settings can be modified from savedsearches.conf under $SPLUNK_HOME\etc\apps\[app]\local. You will need to restart Splunk for the changes to go into effect.

Cheers,
Jacob

Re: How can we migrate our alerts to generic accounts?

danielbb — Mon, 29 Jul 2019 20:59:28 GMT

Great @jacobevans. Is there any way to do this sort of change via the UI?

Re: How can we migrate our alerts to generic accounts?

jacobpevans — Mon, 29 Jul 2019 21:04:31 GMT

@danielbb There is no way to change the owner via the UI as far as I know.

edit: @solarboyz1 is correct - I followed his steps and was able to change the owner via UI.

Re: How can we migrate our alerts to generic accounts?

solarboyz1 — Mon, 29 Jul 2019 21:05:08 GMT

First, you will need to create the generic or service accounts in Splunk, and ensure they have the appropirate role, capablities, etc..

Next, you just need to migration ownership of the objects.

Via GUI:

settings -> all configurations -> reassign knowledge objects

Select the knowledge objects, and reassign to the service account.

VIA Config Files:

This gets a little more complicated, since permissions can be applied granularly to specific objects as well as generally to mulitple objects using wildcards.

You would need to find the metadata related to the object in question, and modify the owner line:

[views/*]
access = read : [ * ], write : [ admin ]
export = none
owner = admin
version = 7.1
modtime = 1400528935.011292000

If you using a naming convention for objects, it may be easier to find and group them for this change.

Re: How can we migrate our alerts to generic accounts?

solarboyz1 — Mon, 29 Jul 2019 21:07:39 GMT

This was added in 6.6:

settings -> all configurations -> Reassign knowledge objects

Re: How can we migrate our alerts to generic accounts?

woodcock — Tue, 30 Jul 2019 05:56:00 GMT

What most people do is to remove the local.meta file so that all objects have no owner and are then owned by nobody. This works great because they work the same as before but are not tied to ANY user.