Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk cloud- removing dashboards

kelstahl8705
Path Finder
‎01-10-2022 07:08 AM

Hi team 🙂

I have a user that left the company and now their dashboard searches are alerting as "orphaned objects". I reassigned all of their objects to me, cloned their dashboards (scream test), but when I go to (settings > user interface > views) to delete them I see no delete option except for the clones I made. 

I changed the permissions on the dashboards to read/write the sc_admin role only 
I (Admin) own all the objects now
These dashboards were user made and not apart of 3rd party app

What am I missing?
I have a few screen shots below to show better what I am explaining

Screen Shot of 'views' The clones are private the originals are notScreen Shot of 'views' The clones are private the originals are not

screen shot of what permissions are for original object I want to deletescreen shot of what permissions are for original object I want to delete

sc_admin has all the capabilities it can have assigned to itsc_admin has all the capabilities it can have assigned to it

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

kelstahl8705
Path Finder
‎01-11-2022 01:39 PM

Yep, so I had my support session and this is a known issue right now. When some dashboards/searches are saved private they for some reason save locally and thus "You don't get to delete them even if you have sc_admin!" xD The support analyst has to escalate for them to be removed from the back end and as of right now this is the future move until the issue is resolved. 

Thanks to everyone who looked, helped, or offered solutions!! I'm just not adult enough is the moral of the story 😂

Update from support

"I also wanted to let you know I little bit more about the known issue that I mentioned in the meeting, there are two issues related to knowledge objects, one happens when Splunk web is not able to delete those because they were created as private.

There is another one when you are able to reassign and clone KO without the permissions, turns out that if you create a KO and you share it with someone you lose the delete/disable option so you'll need to have permission on every copy shared of the KO to be able to delete it."

View solution in original post

Reply
Solved! Jump to solution
Solution

kelstahl8705
Path Finder
‎01-11-2022 01:39 PM

Yep, so I had my support session and this is a known issue right now. When some dashboards/searches are saved private they for some reason save locally and thus "You don't get to delete them even if you have sc_admin!" xD The support analyst has to escalate for them to be removed from the back end and as of right now this is the future move until the issue is resolved. 

Thanks to everyone who looked, helped, or offered solutions!! I'm just not adult enough is the moral of the story 😂

Update from support

"I also wanted to let you know I little bit more about the known issue that I mentioned in the meeting, there are two issues related to knowledge objects, one happens when Splunk web is not able to delete those because they were created as private.

There is another one when you are able to reassign and clone KO without the permissions, turns out that if you create a KO and you share it with someone you lose the delete/disable option so you'll need to have permission on every copy shared of the KO to be able to delete it."

Reply
Solved! Jump to solution

Stefanie
Builder
‎01-10-2022 08:12 AM

Sounds like there knowledge objects left in that user's home directory.

If you have access to the server, you can navigate to /opt/splunk/etc/users/kelly......./ and you can manually remove it from there. 

If you don't have access, you can temporarily recreate that user and reassign their knowledge objects to someone else.

Reply
Solved! Jump to solution

kelstahl8705
Path Finder
‎01-10-2022 08:19 AM

Thanks for the reply!

I don't have access to the server (boo) thats why I always preface with I use Splunk Cloud, its a crazy beast when it comes to things I can and cannot do.

Do you mean to recreate them with a local account? We use SAML to authenticate so this user never had any local creds. They were apart of an AD group that then got the role for viewing this data assigned to everyone that is in that AD group. 


0 Karma
Reply
Solved! Jump to solution

Stefanie
Builder
‎01-10-2022 08:34 AM

Ah, okay. I wasn't sure as I've never used Splunk Cloud 😞

In that case, you could try recreating as a local user that user with the same userid shown in your screenshot (kelly............com) and try that ..

If that doesn't work my advice would be to submit a ticket to Splunk Support for them to remove the orphaned search. 

Reply
Solved! Jump to solution

kelstahl8705
Path Finder
‎01-10-2022 08:44 AM

No worries! 

The best way I can explain my experience with Cloud so far is ...cloud is like on-prem but if it were in a alternate mirror dimension so things that are supposed to go a certain way do normally except sometimes its backwards or just off ever so slightly xD 

I did try to recreate that user and also try use my test local account and I cannot get the option of 'Delete' to pop up. 

looks like its a ticket to support *sad trumpet sound*

Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...