Archive
Highlighted

How can we migrate our alerts to generic accounts?

Motivator

We were instructed that our teams will need to migrate the alerts from individual accounts to generic ones as any employee can leave at any point.

What's the process of migrating the alerts?

0 Karma
Highlighted

Re: How can we migrate our alerts to generic accounts?

Motivator

Howdy Daniel,

I assume you are referring to the "owner" field of the alert. If so, you can update it in the local.meta file located in $SPLUNK_HOME\etc\apps\[app]\metadata. If you delete the entire owner = [admin] line, the owner will display as nobody through the web app. All other settings can be modified from savedsearches.conf under $SPLUNK_HOME\etc\apps\[app]\local. You will need to restart Splunk for the changes to go into effect.

Cheers,
Jacob

Cheers,
Jacob
Highlighted

Re: How can we migrate our alerts to generic accounts?

Motivator

Great @jacobevans. Is there any way to do this sort of change via the UI?

0 Karma
Highlighted

Re: How can we migrate our alerts to generic accounts?

Motivator

@danielbb There is no way to change the owner via the UI as far as I know.

edit: @solarboyz1 is correct - I followed his steps and was able to change the owner via UI.

Cheers,
Jacob
0 Karma
Highlighted

Re: How can we migrate our alerts to generic accounts?

Builder

This was added in 6.6:

settings -> all configurations -> Reassign knowledge objects

Highlighted

Re: How can we migrate our alerts to generic accounts?

Builder

First, you will need to create the generic or service accounts in Splunk, and ensure they have the appropirate role, capablities, etc..

Next, you just need to migration ownership of the objects.

Via GUI:

settings -> all configurations -> reassign knowledge objects

Select the knowledge objects, and reassign to the service account.

VIA Config Files:

This gets a little more complicated, since permissions can be applied granularly to specific objects as well as generally to mulitple objects using wildcards.

You would need to find the metadata related to the object in question, and modify the owner line:

[views/*]
access = read : [ * ], write : [ admin ]
export = none
owner = admin
version = 7.1
modtime = 1400528935.011292000

If you using a naming convention for objects, it may be easier to find and group them for this change.

Highlighted

Re: How can we migrate our alerts to generic accounts?

Esteemed Legend

What most people do is to remove the local.meta file so that all objects have no owner and are then owned by nobody. This works great because they work the same as before but are not tied to ANY user.