Reporting
Highlighted

User departure causes summary indexes to not schedule

Engager

I have a dashboard that depends on multiple summary indexes, all of which have global permissions. The summary indexes are owned by user no longer in our Splunk system. When I attempt to enable these indexes, they disable at the next scheduled run. I have admin privileges, but I don't see how I can change the owner without re-creating the searches (there are too many to do this).

  1. Why won't Splunk run scheduled searches because they were created by a former user?
  2. Is there a relatively painless way to change the owner? I'm guessing there is a file on the server that can be edited, but why not an in-app solution?

I'm running 4.1.5 and need a fix without upgrading to 4.2 (which doesn't appear to have fixed the problem).

Highlighted

Re: User departure causes summary indexes to not schedule

Splunk Employee
Splunk Employee

I talked about a similar issue here:

http://splunk-base.splunk.com/answers/10946/authorizationfailed-http-403-when-clicking-on-the-link-i...

The fix is to update local.meta with the new owner of the search.

The search won't run because the former user does not exist, hence the permissions that the non existent user has don't allow the search to run. I can't answer as to why this isn't in the product, but I have a defect filed on the behavior that will be turned into a feature like this in the future. Seems to me that you should be able to change ownership via the UI to specific users, at least with users assigned to the admin role.

View solution in original post