Knowledge Management

What is Best practice for removing orphaned KOs from SHC?

justynap_ldz
Path Finder

Hey,

does anyone know any best practice or clever way of removing orphaned Knowledge Objects in a Search Head cluster when it is already too late for reassignment?
For each orphaned object we are doing manual job like checking if AD accounts still exist, emailing the users and asking if they still need Splunk etc.
For non-existing accounts, we delete /opt/splunk/etc/users<user_id> catalogue from each SH separately (there are 4 SHs in our cluster), but we are looking for more clever solution

Unfortunately, there is no option in our case to be informed by the users that they are going to leave the company in order to react in advance and avoid orphaned KOs at all...

Greetings,
Justyna

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...