Security

How can we find all the searches, Alerts, Dashboard and ... created (saved) by a user?

KooroshFooladba
Explorer

The user has left the company and has been removed from Active Directory (LDAP) he owns several searches, dashboards and ...
We need to assign it to other existing user. Currently when we restart the serachheads we get lots of error messages regarding user does not exist.

Tags (1)

mparks11
Path Finder

We've run into this as well. Our solution has been to (in the WebUI) look at Settings --> All Configurations --> Select "All" App context and then either search for the user ID of the user that's been removed, or select that user ID from the "Owner" drop down. From there you can see the items that are owned by that user, and the App context under which they exist. At that point it's a matter of still changing the metadata/local.meta file for each App. Once complete, running a debug/refresh (http[s]://[yoursplunkserver]:[splunk port]/en-US[or your locale]/debug/refresh) has worked sufficiently if a Splunk restart isn't possible.

If you've found a better solution please share!

LewisWheeler
Communicator

Good alternative to restart here! Shame I can't get it to work with a curl command. I assume it needs a session first.

0 Karma

stanhoener
Engager

Create a non-ldap name that is a duplicate of the user that has left the company.
Give this admin privileges.
Log in with that id and change the objects however you want.
When your done, remember to remove that old id.

0 Karma

KooroshFooladba
Explorer

following is a sample of the error we get during the restart of Splunk,
09-13-2014 11:29:32.679 -0400 ERROR AuthenticationManagerLDAP - Could not find user="USERNAME" with strategy="COMPANY_ActiveDirectory"
09-13-2014 11:29:32.680 -0400 ERROR UserManagerPro - Failed to get LDAP user="USERNAME" from any configured servers
09-13-2014 11:29:40.881 -0400 INFO TcpOutputProc - Connected to idx=xxx.xxx.xxx.xxx:9997

0 Karma

Ant1D
Motivator

Hi Koorosh, can you edit your question to include an example error message that you are receiving?

You might be able to change the owner of the objects by editing the local.meta file in the Splunk App where these objects reside. There will be a line (owner = ) under each object.
For example if you created dashboards etc inside the default search app, there would be a corresponding $SPLUNK_HOME/etc/apps/search/metadata/local.meta file containing information about the owners of your savedsearches, dashboards (views) etc. which you can amend.

To be safe, make sure that you copy this file before making any changes.

0 Karma

KooroshFooladba
Explorer

Regarding what you have mentioned for changing the owner in $SPLUNK_HOME/etc/apps/search/metadata/local.meta file, I already knew that file but I believe there are other files that need to be updated as well for example "$SPLUNK_HOME/etc/apps/APPS/metadata/local.meta.
by APPS I meant the apps that user is part of and has shared some of his searches or dashboards and ...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...