Knowledge Management

splunk cloud- removing dashboards

kelstahl8705
Path Finder

Hi team 🙂

I have a user that left the company and now their dashboard searches are alerting as "orphaned objects". I reassigned all of their objects to me, cloned their dashboards (scream test), but when I go to (settings > user interface > views) to delete them I see no delete option except for the clones I made. 

I changed the permissions on the dashboards to read/write the sc_admin role only 
I (Admin) own all the objects now
These dashboards were user made and not apart of 3rd party app

What am I missing?
I have a few screen shots below to show better what I am explaining

Screen Shot of 'views' The clones are private the originals are notScreen Shot of 'views' The clones are private the originals are not

screen shot of what permissions are for original object I want to deletescreen shot of what permissions are for original object I want to delete

sc_admin has all the capabilities it can have assigned to itsc_admin has all the capabilities it can have assigned to it

Labels (1)
1 Solution

kelstahl8705
Path Finder

Yep, so I had my support session and this is a known issue right now. When some dashboards/searches are saved private they for some reason save locally and thus "You don't get to delete them even if you have sc_admin!" xD The support analyst has to escalate for them to be removed from the back end and as of right now this is the future move until the issue is resolved. 

Thanks to everyone who looked, helped, or offered solutions!! I'm just not adult enough is the moral of the story 😂

Update from support

"I also wanted to let you know I little bit more about the known issue that I mentioned in the meeting, there are two issues related to knowledge objects, one happens when Splunk web is not able to delete those because they were created as private.

There is another one when you are able to reassign and clone KO without the permissions, turns out that if you create a KO and you share it with someone you lose the delete/disable option so you'll need to have permission on every copy shared of the KO to be able to delete it."

View solution in original post

kelstahl8705
Path Finder

Yep, so I had my support session and this is a known issue right now. When some dashboards/searches are saved private they for some reason save locally and thus "You don't get to delete them even if you have sc_admin!" xD The support analyst has to escalate for them to be removed from the back end and as of right now this is the future move until the issue is resolved. 

Thanks to everyone who looked, helped, or offered solutions!! I'm just not adult enough is the moral of the story 😂

Update from support

"I also wanted to let you know I little bit more about the known issue that I mentioned in the meeting, there are two issues related to knowledge objects, one happens when Splunk web is not able to delete those because they were created as private.

There is another one when you are able to reassign and clone KO without the permissions, turns out that if you create a KO and you share it with someone you lose the delete/disable option so you'll need to have permission on every copy shared of the KO to be able to delete it."

Stefanie
Builder

Sounds like there knowledge objects left in that user's home directory.

If you have access to the server, you can navigate to /opt/splunk/etc/users/kelly......./ and you can manually remove it from there. 

If you don't have access, you can temporarily recreate that user and reassign their knowledge objects to someone else.

kelstahl8705
Path Finder

Thanks for the reply!

I don't have access to the server (boo) thats why I always preface with I use Splunk Cloud, its a crazy beast when it comes to things I can and cannot do.

Do you mean to recreate them with a local account? We use SAML to authenticate so this user never had any local creds. They were apart of an AD group that then got the role for viewing this data assigned to everyone that is in that AD group. 


0 Karma

Stefanie
Builder

Ah, okay. I wasn't sure as I've never used Splunk Cloud 😞

In that case, you could try recreating as a local user that user with the same userid shown in your screenshot (kelly............com) and try that ..

If that doesn't work my advice would be to submit a ticket to Splunk Support for them to remove the orphaned search. 

kelstahl8705
Path Finder

No worries! 

The best way I can explain my experience with Cloud so far is ...cloud is like on-prem but if it were in a alternate mirror dimension so things that are supposed to go a certain way do normally except sometimes its backwards or just off ever so slightly xD 

I did try to recreate that user and also try use my test local account and I cannot get the option of 'Delete' to pop up. 

looks like its a ticket to support *sad trumpet sound*

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...