I have read through the Splunk documentation, but I cannot find a way to disable an orphaned scheduled search. There is information on how to reassign an orphaned Search to a new owner - https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Resolveorphanedsearches - but no real information on disabling an Orphaned Search - https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Disableordeleteknowledgeobjects
I just want to disable the orphaned searches for now (in the Splunk app for Windows Infrastructure) so they don't run and throw warnings. I don't mind jumping into the config files, I just need some solid info on how to disable an orphaned search. I am Admin over my On Prem Splunk Enterprise, and there is no GUI control to 'disable' although there is a 'status' column with 'enabled'. There is also an 'is_scheduled' column/flag which I could change to 0 ... thanks.
Right, well, I guess I answered this one myself. There is no GUI to disable saved searches.
Instead I went into savedsearches.conf and changed all of the orphaned searches in my warnings to disabled = 1. Restarted Splunk.
Right, well, I guess I answered this one myself. There is no GUI to disable saved searches.
Instead I went into savedsearches.conf and changed all of the orphaned searches in my warnings to disabled = 1. Restarted Splunk.
Yeah that would be the simplest way to disable them for now.
if you are on a search head cluster you will have to do it on all the members and then to a rolling restart for these changes to get effected.