Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cannot delete saved searches of a user that no longer exists?

vhallan_splunk
Splunk Employee
Splunk Employee
‎11-03-2016 04:47 AM

An ex-colleague user has been removed from access controls however their saved searches linked with his username are still running and i am seeing errors of orphaned searches. I am an Admin but cannot delete these searches. Is there another way?

Tags (1)
Reply

cmerriman
Super Champion
‎11-03-2016 06:11 AM

There are a couple of ways you can resolve this issue. If you wish to delete/disable/unschedule the orphaned searches, you can do so under Settings>Searches, reports, and alerts or delete it from the Reports listing page.

You can reassign the search in savedsearches.conf by cutting the stanza out from the invalid user and pasting under a valid user and restart your instance.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Resolveorphanedsearches#Delete_an_orphan...

Reply

vhallan_splunk
Splunk Employee
Splunk Employee
‎11-03-2016 07:30 AM

That would work, however I am a cloud customer so do not have access via command line 😞 but good answer!

Reply

cmerriman
Super Champion
‎11-03-2016 07:48 AM

http://docs.splunk.com/Documentation/SplunkCloud/6.5.0/User/Admintasks

Editing and .conf directly in Splunk Cloud requires a Support Ticket with Splunk Support.

http://docs.splunk.com/Documentation/SplunkCloud/6.5.0/User/Useraccounts

You can change user account settings, such as the password as @arowsell has mentioned, and remove the searches. After doing that you can delete the user account.

Reply

horsefez
SplunkTrust
SplunkTrust
‎11-03-2016 05:05 AM

Hello vhallan,

there is the possiblity of you deleting the searches by editing the .conf files directly.
You can go under your Splunk-Home-Directory -> /etc/apps/search/local/ and edit savedsearches.conf there.
Just delete savedsearches that are not needed anymore.

Then go into the Splunk-Home-Directory and under /etc/apps/search/metadata/local/ where you need to delete the
[savedsearches/Nameofthesavedsearch]
Stanza with all it's parameters.

I did this myself this way, when I ran into the problem before.
No guarantee that this is the perfect solution.

Regards,
pyro_wood

Reply

arowsell_splunk
Splunk Employee
Splunk Employee
‎11-03-2016 04:53 AM

Hi, the easiest way as a Splunk Admin would be to re-created the user account of the ex-colleague with a different password. When you login as this user you should be able to see all their saved searches etc and have the ability to delete them.

You could also probably delete them through the CLI.

Reply
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...