Solved: Orphaned Searches: how do you disable the orphan n...

koshyk · ‎10-29-2018

hi,

We have quite a large amount of users and hence leavers/movers are common. We are aware of how to fix the orphaned searches, but we do it in a reactive way. But if a person leaves, immediately it starts popping up on the search head, which is visible to other users too.

We have a deployer, which has oversight of all search heads, and it is also showing there, which is good enough for administrators.

Hence the query,..which .conf file can we push the configs to search heads only, so the orphaned notifications are NOT shown?

mlevsh · ‎10-31-2018

@koshyk
http://docs.splunk.com/Documentation/Splunk/7.2.0/Knowledge/Resolveorphanedsearches:
"If you would rather not receive these notifications, open limits.conf, look for the [system_checks] stanza, and set orphan_searches to disabled"

Modify the link according to your Splunk version.

View solution in original post

mlevsh · ‎10-31-2018

@koshyk
http://docs.splunk.com/Documentation/Splunk/7.2.0/Knowledge/Resolveorphanedsearches:
"If you would rather not receive these notifications, open limits.conf, look for the [system_checks] stanza, and set orphan_searches to disabled"

Modify the link according to your Splunk version.

koshyk · ‎10-31-2018

thank you mate. cheers

Orphaned Searches: how do you disable the orphan notifications on search head members?

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector