We were instructed that our teams will need to migrate the alerts from individual accounts to generic ones as any employee can leave at any point.
What's the process of migrating the alerts?
What most people do is to remove the local.meta
file so that all objects have no owner and are then owned by nobody
. This works great because they work the same as before but are not tied to ANY user.
First, you will need to create the generic or service accounts in Splunk, and ensure they have the appropirate role, capablities, etc..
Next, you just need to migration ownership of the objects.
Via GUI:
settings -> all configurations -> reassign knowledge objects
Select the knowledge objects, and reassign to the service account.
VIA Config Files:
This gets a little more complicated, since permissions can be applied granularly to specific objects as well as generally to mulitple objects using wildcards.
You would need to find the metadata related to the object in question, and modify the owner line:
[views/*]
access = read : [ * ], write : [ admin ]
export = none
owner = admin
version = 7.1
modtime = 1400528935.011292000
If you using a naming convention for objects, it may be easier to find and group them for this change.
Howdy Daniel,
I assume you are referring to the "owner" field of the alert. If so, you can update it in the local.meta
file located in $SPLUNK_HOME\etc\apps\[app]\metadata
. If you delete the entire owner = [admin]
line, the owner will display as nobody
through the web app. All other settings can be modified from savedsearches.conf
under $SPLUNK_HOME\etc\apps\[app]\local
. You will need to restart Splunk for the changes to go into effect.
Cheers,
Jacob
Great @jacobevans. Is there any way to do this sort of change via the UI?
@danielbb There is no way to change the owner via the UI as far as I know.
edit: @solarboyz1 is correct - I followed his steps and was able to change the owner via UI.
This was added in 6.6:
settings -> all configurations -> Reassign knowledge objects