Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What's the best solution for orphaned searches?

twinspop
Influencer
‎09-01-2016 07:00 AM

2 problems:

1) There is no change ownership option in the GUI - seems like a huge oversight.

2) The search to show orphaned searches times out with no results.

So I'm left with not being able to proactively identify the OSs, and when users come to me about missing scheduled searches, I have no easy solution for fixing them aside from climbing through savedsearches.conf files manually.

Any recommendations? With a user count rapidly approaching 10k, and the normal churn at Big American Corp(tm), this is turning into a big thorn in my side.

Reply
1 Solution
Solved! Jump to solution
Solution

twinspop
Influencer
‎06-09-2017 07:59 AM

With 6.5.3 and above the orphaned report works. So progress! My current workflow is

1) add the owner back to splunk temporarily
2) use the REST API to change ownership from the old owner to a new (existing) user
3) delete the owner from the system

Example API access to change ownership with curl (including disabling the search):

curl -ku admin https://searchhead:8089/servicesNS/olduser/appname/saved/searches/searchname/acl -d owner=newowner -d disabled=1

View solution in original post

Reply
Solved! Jump to solution
Solution

twinspop
Influencer
‎06-09-2017 07:59 AM

With 6.5.3 and above the orphaned report works. So progress! My current workflow is

1) add the owner back to splunk temporarily
2) use the REST API to change ownership from the old owner to a new (existing) user
3) delete the owner from the system

Example API access to change ownership with curl (including disabling the search):

curl -ku admin https://searchhead:8089/servicesNS/olduser/appname/saved/searches/searchname/acl -d owner=newowner -d disabled=1
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-31-2017 06:23 AM

In 6.6.x there is ability to change ownership via GUI:
http://docs.splunk.com/Documentation/Splunk/6.6.0/Knowledge/Resolveorphanedsearches

Previous versions you'll need to use this method instead:
http://docs.splunk.com/Documentation/Splunk/6.5.4/Knowledge/Resolveorphanedsearches

0 Karma
Reply
Solved! Jump to solution

aferone
Builder
‎09-01-2016 09:11 AM

Open a case. I have the same problem, and Splunk Support is pretty sure this is a bug. I am running 6.4.2.

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎09-01-2016 09:08 AM

Method I used for the case reported today: On the CLI, I used sed (or perl, or whatever) to globally replace the old username in local.meta with a new, existing, username. Unfortunately, on an SHC this is messy as the changes need to be sync'd with all SHC members, and then restarted. Does it work? Yes. Is it gross/clumsy/error-prone? Also also yes.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...