Archive

Splunk has found 1 orphaned searches owned by 1 unique disabled users.Click to view the orphaned scheduled searches. Reassign them to a valid user to re-enable or alternatively disable the searches.

Motivator

Hi All,

We are getting this pop-up message in the splunk console, based on the below link provide in the answer.com, I had tried to detect the orphaned searches in our environment but unable to get the details.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Knowledge/Resolveorphanedsearches

Splunk version details : 6.6.1

Methods to detect the orphaned searches.

1) Look at the Orphaned Scheduled Searches, Reports, and Alerts dashboard and report

Query details:

| rest timeout=600 splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0 
| search orphan=1 disabled=0 is_scheduled=1 
| eval status = if(disabled = 0, "enabled", "disabled") 
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions 
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

Getting no result found.

2) Run the Monitoring Console health check

Settings--> Monitoring console --> Health Check --> start 

Getting the below message details

Message
This health check item was successful. Everything is good here. All the splunk instance result are good.

3) Use the Reassign Knowledge Objects page in Settings

Settings --> All Configurations -->Reassign Knowledge objects -->orphaned to filter out the orphaned searches. 

Getting no result found.

Kindly guide me how to find out which schedule search is left as orphaned in the search head cluster.

Tags (2)
1 Solution

Motivator

Hi All,

The issue got fixed by following the below steps: Reassign unshared, orphaned knowledge objects

1) After logging into the splunk portal, we need to first get the orphaned searches name and owner details and that information can be obtained from the orphaned scheduled search reports. And you can also execute the below query manually to fetch the same result.

Query Details:
| rest timeout=600 splunkserver=local /servicesNS/-/-/saved/searches addorphanfield=yes count=0
| search orphan=1 disabled=0 is
scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status isscheduled cronschedule nextscheduledtime nextscheduledtime actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

2) On getting the owner name / search name, we need to re-create a invalid owner by accessing the settings-->access control-->user (with minimum role and capabilities as the user is temporary)

3) Once the user is re-created, go to the settings - Knowledge objects --> All configuration -->Reassign Knowledge object -->Orphaned tab and select Orphaned search and assign it to the re-created user.

4) After assigning the Orphaned search, go to the settings -->Knowledge objects -->Searches, Reports and Alerts --> select the search which was re-assigned to the invalid user, in my case the report was more specify to the user and it was not important, so we had disabled the Reports.
Note: Suppose if the Report/Alerts/searches are important, then you need to re-assign to the valid user, before disabling/removing the user from splunk.

5) Once the Reports are disabled, we can delete the invalid user by accessing the settings-->access control-->user - invalid user-delete.

6) Validate whether, by executing the above search query and also whether the pop message is cleared from the portal.

Referred below splunk document.link text

View solution in original post

Motivator

Hi All,

The issue got fixed by following the below steps: Reassign unshared, orphaned knowledge objects

1) After logging into the splunk portal, we need to first get the orphaned searches name and owner details and that information can be obtained from the orphaned scheduled search reports. And you can also execute the below query manually to fetch the same result.

Query Details:
| rest timeout=600 splunkserver=local /servicesNS/-/-/saved/searches addorphanfield=yes count=0
| search orphan=1 disabled=0 is
scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status isscheduled cronschedule nextscheduledtime nextscheduledtime actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

2) On getting the owner name / search name, we need to re-create a invalid owner by accessing the settings-->access control-->user (with minimum role and capabilities as the user is temporary)

3) Once the user is re-created, go to the settings - Knowledge objects --> All configuration -->Reassign Knowledge object -->Orphaned tab and select Orphaned search and assign it to the re-created user.

4) After assigning the Orphaned search, go to the settings -->Knowledge objects -->Searches, Reports and Alerts --> select the search which was re-assigned to the invalid user, in my case the report was more specify to the user and it was not important, so we had disabled the Reports.
Note: Suppose if the Report/Alerts/searches are important, then you need to re-assign to the valid user, before disabling/removing the user from splunk.

5) Once the Reports are disabled, we can delete the invalid user by accessing the settings-->access control-->user - invalid user-delete.

6) Validate whether, by executing the above search query and also whether the pop message is cleared from the portal.

Referred below splunk document.link text

View solution in original post

Esteemed Legend

You should click Accept on your answer but do not neglect to UpVote any answers that helped you get there.

0 Karma

Motivator

hey woodcock, sorry i did not understand your context ? please let me know what do you mean by UpVote ?

0 Karma

Esteemed Legend

There is a carat/Chevron character (alongside the same character upside-down) next to every comment and answer (even the question, where it is the most prominant). Click on the ^ one to UpVote and the v one to DownVote.

0 Karma

Esteemed Legend

I UpVoted your answer.

0 Karma

Esteemed Legend

Run this search on your Search Head directly:

| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0 
| where disabled=0 AND is_scheduled=1 AND orphan=1
0 Karma

SplunkTrust
SplunkTrust

remove this line from the search and see what happens - | search orphan=1 disabled=0 is_scheduled=1

0 Karma

Motivator

Hi Dal Jeanis, thanks for your support on this, but I do not see the alert message popping out currently in the Splunk GUI. So did not test the search.

0 Karma

Motivator

hey I could see the same message popped up again in the search head portal and have identified the search name SEC-GRC-ALERT-OIM-Email-DirSync-Errors and the user name who had owned the search.

But the challenge is now the user got deleted from the splunk, so unable to find the particular orphaned search in the setting-->searches-reports-alerts. I had gone through the splunk documentation

link text

But unable to find after re-creating the user from settings-- access control --users.

And at the same time on the search head cluster node, could see the search details under this path /opt/splunk/etc/users/test01/local/search/savedsearches.conf. Can I # it in this location will that work. Kindly guide me how to fix this issue.

0 Karma

Motivator

Can any one guide me on this.

0 Karma

Motivator

Any help on this issue, will be much appreciated !!!

0 Karma