I assume you are referring to the "owner" field of the alert. If so, you can update it in the
local.meta file located in
$SPLUNK_HOME\etc\apps\[app]\metadata. If you delete the entire
owner = [admin] line, the owner will display as
nobody through the web app. All other settings can be modified from
$SPLUNK_HOME\etc\apps\[app]\local. You will need to restart Splunk for the changes to go into effect.
@danielbb There is no way to change the owner via the UI as far as I know.
edit: @solarboyz1 is correct - I followed his steps and was able to change the owner via UI.
First, you will need to create the generic or service accounts in Splunk, and ensure they have the appropirate role, capablities, etc..
Next, you just need to migration ownership of the objects.
settings -> all configurations -> reassign knowledge objects
Select the knowledge objects, and reassign to the service account.
VIA Config Files:
This gets a little more complicated, since permissions can be applied granularly to specific objects as well as generally to mulitple objects using wildcards.
You would need to find the metadata related to the object in question, and modify the owner line:
[views/*] access = read : [ * ], write : [ admin ] export = none owner = admin version = 7.1 modtime = 1400528935.011292000
If you using a naming convention for objects, it may be easier to find and group them for this change.
What most people do is to remove the
local.meta file so that all objects have no owner and are then owned by
nobody. This works great because they work the same as before but are not tied to ANY user.