One of employee left company.
Now all reports & alerts owned by him are not visible in splunk .
We have splunk 7.3.3 in our environment
How can i search those alerts / reports as they are very important for us as we modify those alerts / report periodically
You'll need to assign those reports and alerts to someone else. It's a good idea to create a service account to use for public report and alerts to avoid this issue.
Go to Settings->All configurations then click the "Reassign Knowledge Objects" button in the top-right corner. Click the "Orphaned" box to identify all KOs without an owner. Select the ones you wish to re-assign and then click "Reassign". Select the name of the new owner and click Save.
This might sound weird but if the user account of that employee has been deleted, try recreating it and then login using that account. Then you will see all the knowledge objects under their account. After that, change the permission of those KOs app/global. Logout and login as admin. Reassign those KOs to an existing/active user. Lastly, you can delete the user account of the resigned employee.
OR, you can check savedsearches.conf in the backend and copy those which are under the resigned employee's account.
i they are reports (not dashboards) you can find them by CLI in $SPLNK_HOME/etc/users/<user_name>/<use_app)/local/savedsearches.conf.
You can copy them in another savedsearches.conf or run by GUI and save them as new reports.
We have Splunk installed on Windows Servers.
There are 3 different servers having 3 different roles like
Server1 as indexer
Server2 as Search Head / DB Connect
Server3 as Master Server.
Where shall i check or restore the file mentioned as savedsearches.conf