Hi All,
We are getting this pop-up message in the splunk console, based on the below link provide in the answer.com, I had tried to detect the orphaned searches in our environment but unable to get the details.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Knowledge/Resolveorphanedsearches
Splunk version details : 6.6.1
Methods to detect the orphaned searches.
1) Look at the Orphaned Scheduled Searches, Reports, and Alerts dashboard and report
Query details:
| rest timeout=600 splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing
Getting no result found.
2) Run the Monitoring Console health check
Settings--> Monitoring console --> Health Check --> start
Getting the below message details
Message
This health check item was successful. Everything is good here. All the splunk instance result are good.
3) Use the Reassign Knowledge Objects page in Settings
Settings --> All Configurations -->Reassign Knowledge objects -->orphaned to filter out the orphaned searches.
Getting no result found.
Kindly guide me how to find out which schedule search is left as orphaned in the search head cluster.
Hi All,
The issue got fixed by following the below steps: Reassign unshared, orphaned knowledge objects
1) After logging into the splunk portal, we need to first get the orphaned searches name and owner details and that information can be obtained from the orphaned scheduled search reports. And you can also execute the below query manually to fetch the same result.
Query Details:
| rest timeout=600 splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing
2) On getting the owner name / search name, we need to re-create a invalid owner by accessing the settings-->access control-->user (with minimum role and capabilities as the user is temporary)
3) Once the user is re-created, go to the settings - Knowledge objects --> All configuration -->Reassign Knowledge object -->Orphaned tab and select Orphaned search and assign it to the re-created user.
4) After assigning the Orphaned search, go to the settings -->Knowledge objects -->Searches, Reports and Alerts --> select the search which was re-assigned to the invalid user, in my case the report was more specify to the user and it was not important, so we had disabled the Reports.
Note: Suppose if the Report/Alerts/searches are important, then you need to re-assign to the valid user, before disabling/removing the user from splunk.
5) Once the Reports are disabled, we can delete the invalid user by accessing the settings-->access control-->user - invalid user-delete.
6) Validate whether, by executing the above search query and also whether the pop message is cleared from the portal.
Referred below splunk document.link text
Should I reassign them to 'admin' or 'nobody'
I have several searches that a previous employee setup.
Hi All,
The issue got fixed by following the below steps: Reassign unshared, orphaned knowledge objects
1) After logging into the splunk portal, we need to first get the orphaned searches name and owner details and that information can be obtained from the orphaned scheduled search reports. And you can also execute the below query manually to fetch the same result.
Query Details:
| rest timeout=600 splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing
2) On getting the owner name / search name, we need to re-create a invalid owner by accessing the settings-->access control-->user (with minimum role and capabilities as the user is temporary)
3) Once the user is re-created, go to the settings - Knowledge objects --> All configuration -->Reassign Knowledge object -->Orphaned tab and select Orphaned search and assign it to the re-created user.
4) After assigning the Orphaned search, go to the settings -->Knowledge objects -->Searches, Reports and Alerts --> select the search which was re-assigned to the invalid user, in my case the report was more specify to the user and it was not important, so we had disabled the Reports.
Note: Suppose if the Report/Alerts/searches are important, then you need to re-assign to the valid user, before disabling/removing the user from splunk.
5) Once the Reports are disabled, we can delete the invalid user by accessing the settings-->access control-->user - invalid user-delete.
6) Validate whether, by executing the above search query and also whether the pop message is cleared from the portal.
Referred below splunk document.link text
You should click Accept
on your answer but do not neglect to UpVote
any answers that helped you get there.
hey woodcock, sorry i did not understand your context ? please let me know what do you mean by UpVote ?
There is a carat/Chevron character (alongside the same character upside-down) next to every comment and answer (even the question, where it is the most prominant). Click on the ^
one to UpVote
and the v
one to DownVote
.
I UpVoted
your answer.
Run this search on your Search Head directly:
| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| where disabled=0 AND is_scheduled=1 AND orphan=1
remove this line from the search and see what happens - | search orphan=1 disabled=0 is_scheduled=1
Hi Dal Jeanis, thanks for your support on this, but I do not see the alert message popping out currently in the Splunk GUI. So did not test the search.
hey I could see the same message popped up again in the search head portal and have identified the search name SEC-GRC-ALERT-OIM-Email-DirSync-Errors and the user name who had owned the search.
But the challenge is now the user got deleted from the splunk, so unable to find the particular orphaned search in the setting-->searches-reports-alerts. I had gone through the splunk documentation
But unable to find after re-creating the user from settings-- access control --users.
And at the same time on the search head cluster node, could see the search details under this path /opt/splunk/etc/users/test01/local/search/savedsearches.conf. Can I # it in this location will that work. Kindly guide me how to fix this issue.
Can any one guide me on this.
Any help on this issue, will be much appreciated !!!