An ex-colleague user has been removed from access controls however their saved searches linked with his username are still running and i am seeing errors of orphaned searches. I am an Admin but cannot delete these searches. Is there another way?
There are a couple of ways you can resolve this issue. If you wish to delete/disable/unschedule the orphaned searches, you can do so under Settings>Searches, reports, and alerts or delete it from the Reports listing page.
You can reassign the search in savedsearches.conf by cutting the stanza out from the invalid user and pasting under a valid user and restart your instance.
Editing and .conf directly in Splunk Cloud requires a Support Ticket with Splunk Support.
You can change user account settings, such as the password as @arowsell has mentioned, and remove the searches. After doing that you can delete the user account.
there is the possiblity of you deleting the searches by editing the .conf files directly.
You can go under your Splunk-Home-Directory -> /etc/apps/search/local/ and edit savedsearches.conf there.
Just delete savedsearches that are not needed anymore.
Then go into the Splunk-Home-Directory and under /etc/apps/search/metadata/local/ where you need to delete the
Stanza with all it's parameters.
I did this myself this way, when I ran into the problem before.
No guarantee that this is the perfect solution.
Hi, the easiest way as a Splunk Admin would be to re-created the user account of the ex-colleague with a different password. When you login as this user you should be able to see all their saved searches etc and have the ability to delete them.
You could also probably delete them through the CLI.