Re: Getting the warning "Splunk has found # orphan...

mlevsh · ‎08-27-2018

We are running Splunk Enterprise v. 7.0.4 on our search head cluster.
Recently we have started to get the following warning:

"Splunk has found 4 orphaned searches owned by 1 unique disabled users.Click to view the orphaned scheduled searches. Reassign them to a valid user to re-enable or alternatively disable the searches."

but the click would take us to a search that won't produce any results.

Strange, that running Health Check on Splunk DMC server doesn't show any scheduled orphaned searches on the same search heads.

Any ideas?

mlevsh · ‎08-31-2018

After clicking on the link few times across 4-5 days, I was finally able to see some results. We are running 4 search heads cluster.

horsefez · ‎08-27-2018

Hi @mlevsh,

it's weird that there isn't any result. I also don't have a clue why... maybe permissions.

I'll provide you a link though how you can resolve orphaned knowledge objects. 🙂

http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Resolveorphanedsearches

mlevsh · ‎08-27-2018

@pyro_wood, I'm a Splunk admin, so it should cover permissions.
We had similar warnings before and resolved orphaned searches, but this time it's hard to be sure what user/searches combination is causing the warning to pop up.

Getting the warning "Splunk has found # orphaned searches owned by # unique disabled users", but no results displayed

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?