Security

Scheduled saved search deleted LDAP user

deeades
New Member

We had a user that setup a scheduled search to run weekly and would send report by email. We are setup for LDAP authentication and this user has left our company and their AD account has been removed. The report is no longer being sent by email. When I attempt to go to the saved search from a previous link I receive "user does not exist: username". The report is also not listed in the Reports List. The report must have had this user listed as the owner. I have come across a few other answers that are somewhat related but have not found a definitive answer to this question. Is this saved search not available any longer or is there a way to retrieve it somehow. I am not sure of the complete search string that was used.

Thanks.

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this search to locate this and other orphaned searches.

| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time actions
| rename eai:acl.owner as owner eai:acl.app as app eai:acl.sharing as sharing

Once you find it you should be able to change the owner, either using the GUI (depending on your Splunk version) or by editing .conf files.
See "Manage orphaned knowledge objects" at http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Resolveorphanedsearches

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Try this search to locate this and other orphaned searches.

| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time actions
| rename eai:acl.owner as owner eai:acl.app as app eai:acl.sharing as sharing

Once you find it you should be able to change the owner, either using the GUI (depending on your Splunk version) or by editing .conf files.
See "Manage orphaned knowledge objects" at http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Resolveorphanedsearches

---
If this reply helps you, Karma would be appreciated.

deeades
New Member

The recommended search came back showing the report I am looking for but I do not see how to change the owner. It comes up on the statistics tab and when I click on the Title or Owner it shows more menu options but they all seem to run further searches. We are on version 6.6.0.

Thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Once you have the name and app go to Settings->All configurations and click the Reassign Knowledge Object button. Select the right app, scroll down to the search in question, and click Reassign. Choose the new owner, click Save, and you're done.

If your Splunk doesn't have the Reassign Knowledge Objects button (I don't have 6.6) then see the documentation link in my answer for other ways to change ownership. The doc explains it better than I could.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...