Alerting

employee left company reports owned by him not visible under reports/search settings now.

nilupat
Engager

One of employee left company.

Now all reports & alerts owned by him are not visible in splunk . 

We have splunk 7.3.3 in our environment

How can i search those alerts / reports as they are very important for us as we modify those alerts / report periodically

Regards,

Nilesh  

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You'll need to assign those reports and alerts to someone else.  It's a good idea to create a service account to use for public report and alerts to avoid this issue.

Go to Settings->All configurations then click the "Reassign Knowledge Objects" button in the top-right corner.  Click the "Orphaned" box to identify all KOs without an owner.  Select the ones you wish to re-assign and then click "Reassign".  Select the name of the new owner and click Save.

---
If this reply helps you, Karma would be appreciated.
0 Karma

marilyncugal
Engager

This might sound weird but if the user account of that employee has been deleted, try recreating it and then login using that account. Then you will see all the knowledge objects under their account. After that, change the permission of those KOs app/global.  Logout and login as admin. Reassign those KOs to an existing/active user.  Lastly, you can delete the user account of the resigned employee.

OR, you can check savedsearches.conf in the backend and copy those which are under the resigned employee's account.

nilupat
Engager

Thanks for your response.

IT seems these were private alerts / reports configured as i do not see them in Reassign Knowledge Objects

Is there any way i can find out those

Regards,

Nilesh

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nilupat,

i they are reports (not dashboards) you can find them by CLI in $SPLNK_HOME/etc/users/<user_name>/<use_app)/local/savedsearches.conf.

You can copy them in another savedsearches.conf or run by GUI and save them as new reports.

Ciao.

Giuseppe

0 Karma

nilupat
Engager

Hi,

We have Splunk installed on Windows Servers.

There are 3 different servers having 3 different roles like 

Server1 as indexer

Server2 as Search Head / DB Connect

Server3 as Master Server.

Where shall i check or restore the file mentioned as savedsearches.conf 

Regards,

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @nilupat,

savedsearches are in the Search Head.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...