Security

Cannot delete saved searches of a user that no longer exists?

vhallan_splunk
Splunk Employee
Splunk Employee

An ex-colleague user has been removed from access controls however their saved searches linked with his username are still running and i am seeing errors of orphaned searches. I am an Admin but cannot delete these searches. Is there another way?

Tags (1)

cmerriman
Super Champion

There are a couple of ways you can resolve this issue. If you wish to delete/disable/unschedule the orphaned searches, you can do so under Settings>Searches, reports, and alerts or delete it from the Reports listing page.

You can reassign the search in savedsearches.conf by cutting the stanza out from the invalid user and pasting under a valid user and restart your instance.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Resolveorphanedsearches#Delete_an_orphan...

vhallan_splunk
Splunk Employee
Splunk Employee

That would work, however I am a cloud customer so do not have access via command line 😞 but good answer!

cmerriman
Super Champion

http://docs.splunk.com/Documentation/SplunkCloud/6.5.0/User/Admintasks

Editing and .conf directly in Splunk Cloud requires a Support Ticket with Splunk Support.

http://docs.splunk.com/Documentation/SplunkCloud/6.5.0/User/Useraccounts

You can change user account settings, such as the password as @arowsell has mentioned, and remove the searches. After doing that you can delete the user account.

horsefez
Motivator

Hello vhallan,

there is the possiblity of you deleting the searches by editing the .conf files directly.
You can go under your Splunk-Home-Directory -> /etc/apps/search/local/ and edit savedsearches.conf there.
Just delete savedsearches that are not needed anymore.

Then go into the Splunk-Home-Directory and under /etc/apps/search/metadata/local/ where you need to delete the
[savedsearches/Nameofthesavedsearch]
Stanza with all it's parameters.

I did this myself this way, when I ran into the problem before.
No guarantee that this is the perfect solution.

Regards,
pyro_wood

arowsell_splunk
Splunk Employee
Splunk Employee

Hi, the easiest way as a Splunk Admin would be to re-created the user account of the ex-colleague with a different password. When you login as this user you should be able to see all their saved searches etc and have the ability to delete them.

You could also probably delete them through the CLI.

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...