Alerting

How can we migrate our alerts to generic accounts?

danielbb
Motivator

We were instructed that our teams will need to migrate the alerts from individual accounts to generic ones as any employee can leave at any point.

What's the process of migrating the alerts?

0 Karma

woodcock
Esteemed Legend

What most people do is to remove the local.meta file so that all objects have no owner and are then owned by nobody. This works great because they work the same as before but are not tied to ANY user.

solarboyz1
Builder

First, you will need to create the generic or service accounts in Splunk, and ensure they have the appropirate role, capablities, etc..

Next, you just need to migration ownership of the objects.

Via GUI:

settings -> all configurations -> reassign knowledge objects

Select the knowledge objects, and reassign to the service account.

VIA Config Files:

This gets a little more complicated, since permissions can be applied granularly to specific objects as well as generally to mulitple objects using wildcards.

You would need to find the metadata related to the object in question, and modify the owner line:

[views/*]
access = read : [ * ], write : [ admin ]
export = none
owner = admin
version = 7.1
modtime = 1400528935.011292000

If you using a naming convention for objects, it may be easier to find and group them for this change.

jacobpevans
Motivator

Howdy Daniel,

I assume you are referring to the "owner" field of the alert. If so, you can update it in the local.meta file located in $SPLUNK_HOME\etc\apps\[app]\metadata. If you delete the entire owner = [admin] line, the owner will display as nobody through the web app. All other settings can be modified from savedsearches.conf under $SPLUNK_HOME\etc\apps\[app]\local. You will need to restart Splunk for the changes to go into effect.

Cheers,
Jacob

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

danielbb
Motivator

Great @jacobevans. Is there any way to do this sort of change via the UI?

0 Karma

jacobpevans
Motivator

@danielbb There is no way to change the owner via the UI as far as I know.

edit: @solarboyz1 is correct - I followed his steps and was able to change the owner via UI.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

solarboyz1
Builder

This was added in 6.6:

settings -> all configurations -> Reassign knowledge objects

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...