Splunk Search

How do I find an orphaned search in Splunk 6.4.1?

tweaktubbie
Communicator

After migrating to 6.4.1, we are now notified of orphaned objects. Cleaned them up or cloned them to new ones, but one remains:

Splunk has found 1 orphaned searches owned by 1 unique disabled users. Click to view the orphaned scheduled searches. Reassign them to a valid user to re-enable or alternatively disable the searches.
I have the admin role and user context/app all, but I'm still not able to locate the user/search name. Is there some way to rebuild any repository or config files? It now seems there's some ghost object in the system.

0 Karma
1 Solution

inventsekar
Ultra Champion

from https://answers.splunk.com/answers/418132/orphaned-scheduled-search-doesnt-work.html
please check
| rest splunk_server=local /services/saved/searches add_orphan_field=1
or
| rest splunk_server=local /services/saved/searches
or
| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0

View solution in original post

dhruv05
New Member

Try this..

| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

0 Karma

yahuja_splunk
Splunk Employee
Splunk Employee

this works in 6.4.4.

| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

duartet
Path Finder

Yes that is the most correct answer. Thanks Yahuja.

0 Karma

darlas
Communicator

Hi.

Thanks for this idea. I get "connection failed with Read timeout" when I run this.

I'm on 6.5.1 so maybe this no longer works in latest version?

0 Karma

christian_l
Path Finder

Try removing the splunk_server=local within the first | rest query.
This one worked for me:
| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

0 Karma

yahuja_splunk
Splunk Employee
Splunk Employee

may be. i am not sure.

0 Karma

pradeepkumarg
Influencer

@darlas Did you get a solution to this? I upgraded to 6.5.2 and facing the same "connection failed with Read timeout" situation.

0 Karma

darlas
Communicator

sorry no solution. just living with the orphaned searches for now. sorry to not be of any help to you.

0 Karma

tweaktubbie
Communicator

works fine here on 6.5.1. does executing the first line only give output? (and yeah first time got the '5.' included in the copy/paste which of course does not work ;))

0 Karma

inventsekar
Ultra Champion

from https://answers.splunk.com/answers/418132/orphaned-scheduled-search-doesnt-work.html
please check
| rest splunk_server=local /services/saved/searches add_orphan_field=1
or
| rest splunk_server=local /services/saved/searches
or
| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0

darlas
Communicator

I tried all 3 commands and none seemed to identify orphaned searches. maybe I am not sure how to interpret the output.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...