Reporting

Switched to Free, cannot reassign or delete embeds

codenaugh
Explorer

I've switched my license from the trial to free and in doing so, the users I created are no longer there, which has created an orphaned embed. It tells me to reassign it to a valid user, but when I try to reassign it, it tells me I have to unembed it first, but embeded reports are also not a feature of splunk free, so it appears I also cannot do that. I've tried to delete the job but it just reappears. Here is the notification that is always on:

"Splunk has found 1 orphaned searches owned by 1 unique disabled users. Click to view the orphaned scheduled searches. Reassign them to a valid user to re-enable or alternatively disable the searches."

How can I remove this embed so I can reassign or delete the job, thereby stopping the error message?

Labels (2)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

If you have standard linux installation, then those files are in:

  • /opt/splunk/etc/apps/<app name>/
    • local/savedsearches.conf
    • metadata/
  • /opt/splunk/etc/users/<user name>/<app name>/
    • savedsearches.conf

All those must move to 

  • /opt/splunk/etc/apps/<app name>/ or
  • /opt/splunk/etc/users/admin/<app name>

based on if those are shared globally/app or those are private objects. That can saw by current location of object and/or .../metadata/meta.* files (export = system).

You could also try to change ownership by REST, probably it didn't work but please try it. https://community.splunk.com/t5/Getting-Data-In/change-the-owner-of-a-saved-search-via-REST/td-p/185... 

r. Ismo

 

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/TypesofSplunklicenses There is described different licenses and what kind of restrictions those have.

On free you haven’t separate users anymore. I’m not sure if you still can assign those reports to admin or not via GUI? If it not works then you could try to stop this instance and then update those savedsearches.conf by editor. You must move those to correct directory (app or admin user folder). Remember also update metadata files (and move those to correct place) with correct user/owner. 

And last option (after you have taken working full backup) is remove installation and reinstall it. Then you could copy those KOs back to the fresh installation.

r. Ismo

0 Karma

codenaugh
Explorer

I cannot change the user via GUI. Where should I look for savedsearches.conf and metadata files? That sounds promising to change the user that way.

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

If you have standard linux installation, then those files are in:

  • /opt/splunk/etc/apps/<app name>/
    • local/savedsearches.conf
    • metadata/
  • /opt/splunk/etc/users/<user name>/<app name>/
    • savedsearches.conf

All those must move to 

  • /opt/splunk/etc/apps/<app name>/ or
  • /opt/splunk/etc/users/admin/<app name>

based on if those are shared globally/app or those are private objects. That can saw by current location of object and/or .../metadata/meta.* files (export = system).

You could also try to change ownership by REST, probably it didn't work but please try it. https://community.splunk.com/t5/Getting-Data-In/change-the-owner-of-a-saved-search-via-REST/td-p/185... 

r. Ismo

 

0 Karma

codenaugh
Explorer

Thanks so much. I was able to modify the savedsearches.conf and set embed.enabled to false, which allowed me to change the user the saved search was assigned to in the GUI. All is well.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...