for saved searches you can either delete them from savedsearches.conf or change owner, You can update the metadata in the location where the savedsearches.conf file exists. For instance, I've got a saved search in $SPLUNKHOME/etc/apps/search/local, I can change the owner in $SPLUNKHOME/etc/apps/search/metadata/local.meta. Determine the app that the savedsearch (or tag or eventtype etc) belongs to. Edit the file
Find the item(s) that need to be changed, and update the owner field.
export = none
owner = admin
version = 6.2.3
modtime = 1394164870.793299000
or you want it to be done using CLI -
So, if I don't know where all the user is located - or I want to perform an audit, validating all the users of all the searches, etc. - is there some method of dealing with that? I'm new to splunk and I don't know where User xyz's things are. I do know that some actions in splunk generate quite a long list of "invalid key in stanza" type messages
See my comment at the top. I wrote a program called Splunk Toolbox that gives you the ability to do:
Change ownership of any object
Search almost any object for specific information
Search all apps, searches, etc
Edit lookup tables
Edit any .conf
Edit just about anything in Splunk
Lots more. this program is entering beta and I need testers. I've been a Splunk user ever since version 2.x. I spoke at .conf2014.