- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Getting the warning "Splunk has found # orphaned searches owned by # unique disabled users", but no results displayed
We are running Splunk Enterprise v. 7.0.4 on our search head cluster.
Recently we have started to get the following warning:
"Splunk has found 4 orphaned searches owned by 1 unique disabled users.Click to view the orphaned scheduled searches. Reassign them to a valid user to re-enable or alternatively disable the searches."
but the click would take us to a search that won't produce any results.
Strange, that running Health Check on Splunk DMC server doesn't show any scheduled orphaned searches on the same search heads.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After clicking on the link few times across 4-5 days, I was finally able to see some results. We are running 4 search heads cluster.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mlevsh,
it's weird that there isn't any result. I also don't have a clue why... maybe permissions.
I'll provide you a link though how you can resolve orphaned knowledge objects. 🙂
http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Resolveorphanedsearches
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@pyro_wood, I'm a Splunk admin, so it should cover permissions.
We had similar warnings before and resolved orphaned searches, but this time it's hard to be sure what user/searches combination is causing the warning to pop up.
