- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- Re: Splunk has found 1 orphaned searches owned by ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
We are getting this pop-up message in the splunk console, based on the below link provide in the answer.com, I had tried to detect the orphaned searches in our environment but unable to get the details.
http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Knowledge/Resolveorphanedsearches
Splunk version details : 6.6.1
Methods to detect the orphaned searches.
1) Look at the Orphaned Scheduled Searches, Reports, and Alerts dashboard and report
Query details:
| rest timeout=600 splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing
Getting no result found.
2) Run the Monitoring Console health check
Settings--> Monitoring console --> Health Check --> start
Getting the below message details
Message
This health check item was successful. Everything is good here. All the splunk instance result are good.
3) Use the Reassign Knowledge Objects page in Settings
Settings --> All Configurations -->Reassign Knowledge objects -->orphaned to filter out the orphaned searches.
Getting no result found.
Kindly guide me how to find out which schedule search is left as orphaned in the search head cluster.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
The issue got fixed by following the below steps: Reassign unshared, orphaned knowledge objects
1) After logging into the splunk portal, we need to first get the orphaned searches name and owner details and that information can be obtained from the orphaned scheduled search reports. And you can also execute the below query manually to fetch the same result.
Query Details:
| rest timeout=600 splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing
2) On getting the owner name / search name, we need to re-create a invalid owner by accessing the settings-->access control-->user (with minimum role and capabilities as the user is temporary)
3) Once the user is re-created, go to the settings - Knowledge objects --> All configuration -->Reassign Knowledge object -->Orphaned tab and select Orphaned search and assign it to the re-created user.
4) After assigning the Orphaned search, go to the settings -->Knowledge objects -->Searches, Reports and Alerts --> select the search which was re-assigned to the invalid user, in my case the report was more specify to the user and it was not important, so we had disabled the Reports.
Note: Suppose if the Report/Alerts/searches are important, then you need to re-assign to the valid user, before disabling/removing the user from splunk.
5) Once the Reports are disabled, we can delete the invalid user by accessing the settings-->access control-->user - invalid user-delete.
6) Validate whether, by executing the above search query and also whether the pop message is cleared from the portal.
Referred below splunk document.link text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Should I reassign them to 'admin' or 'nobody'
I have several searches that a previous employee setup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
The issue got fixed by following the below steps: Reassign unshared, orphaned knowledge objects
1) After logging into the splunk portal, we need to first get the orphaned searches name and owner details and that information can be obtained from the orphaned scheduled search reports. And you can also execute the below query manually to fetch the same result.
Query Details:
| rest timeout=600 splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing
2) On getting the owner name / search name, we need to re-create a invalid owner by accessing the settings-->access control-->user (with minimum role and capabilities as the user is temporary)
3) Once the user is re-created, go to the settings - Knowledge objects --> All configuration -->Reassign Knowledge object -->Orphaned tab and select Orphaned search and assign it to the re-created user.
4) After assigning the Orphaned search, go to the settings -->Knowledge objects -->Searches, Reports and Alerts --> select the search which was re-assigned to the invalid user, in my case the report was more specify to the user and it was not important, so we had disabled the Reports.
Note: Suppose if the Report/Alerts/searches are important, then you need to re-assign to the valid user, before disabling/removing the user from splunk.
5) Once the Reports are disabled, we can delete the invalid user by accessing the settings-->access control-->user - invalid user-delete.
6) Validate whether, by executing the above search query and also whether the pop message is cleared from the portal.
Referred below splunk document.link text
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should click Accept on your answer but do not neglect to UpVote any answers that helped you get there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey woodcock, sorry i did not understand your context ? please let me know what do you mean by UpVote ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a carat/Chevron character (alongside the same character upside-down) next to every comment and answer (even the question, where it is the most prominant). Click on the ^ one to UpVote and the v one to DownVote.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I UpVoted your answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this search on your Search Head directly:
| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| where disabled=0 AND is_scheduled=1 AND orphan=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
remove this line from the search and see what happens - | search orphan=1 disabled=0 is_scheduled=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dal Jeanis, thanks for your support on this, but I do not see the alert message popping out currently in the Splunk GUI. So did not test the search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey I could see the same message popped up again in the search head portal and have identified the search name SEC-GRC-ALERT-OIM-Email-DirSync-Errors and the user name who had owned the search.
But the challenge is now the user got deleted from the splunk, so unable to find the particular orphaned search in the setting-->searches-reports-alerts. I had gone through the splunk documentation
But unable to find after re-creating the user from settings-- access control --users.
And at the same time on the search head cluster node, could see the search details under this path /opt/splunk/etc/users/test01/local/search/savedsearches.conf. Can I # it in this location will that work. Kindly guide me how to fix this issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can any one guide me on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any help on this issue, will be much appreciated !!!
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
