Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I migrate knowledge objects from internal/local user to SAML user?

jthairu_splunk
Splunk Employee
Splunk Employee
‎03-29-2018 07:24 AM

I am looking for a little more information on how to transfer ownership of existing items (dashboards, reports, alerts, etc) owned by internal users to the new saml users?

0 Karma
Reply

twinspop
Influencer
‎05-01-2018 07:58 AM

In recent versions of Splunk you can use the re-asignment page.

Settings -> All Configurations -> Reassign Knowledge Objects

Use the menus and filter to narrow your search.

0 Karma
Reply

sansay
Contributor
‎05-08-2018 05:23 PM

Unfortunately, I just discovered that,
1. There is a known bug which prevents you from seeing the macros
2. This method only works for public knowledge objects, not private if the user no longer has access.
In that case, as indicated in the doc, you will have to temporarily recreate the user.

Also note that this behavior is observed in search head clusters.

0 Karma
Reply

twinspop
Influencer
‎05-08-2018 05:56 PM

All true statements. For this situation, I cobbled together a bash script to hit up all meta files and use sed to replace olduser with newuser, then move the olduser directory from $splunk/etc/users to a safe place for backup. You'll then need to clear search history for the user cuz for some reasons the scheduler will see that and try to auth non-existent users. Finally, restart splunk.

The search history clean:

echo removing $ORIG_OWNER from SavedSearchHistory collection cuz bug SPL-134750
for sid in splunk _internal call /servicesNS/nobody/system/storage/collections/data/SavedSearchHistory/ \
| grep $ORIG_OWNER | cut -d'"' -f 4 | xxd -plain | tr -d '\n' | sed 's/\(..\)/%\1/g' | sed -e 's/%0a/\n/g'
do
splunk _internal call /servicesNS/nobody/system/storage/collections/data/SavedSearchHistory/$sid -method DELETE
done

EDIT: Well that was clobbered. hopefully decipherable

Reply

suarezry
Builder
‎05-01-2018 07:48 AM

Hi @hthairu, we need some more info:

  1. Have the SAML users already logged in? (ie. Are their accounts already in splunk)
  2. Do you run a search head cluster or are they standalone search heads.
0 Karma
Reply

suarezry
Builder
‎05-01-2018 07:47 AM

Hi @deepashri, this will only work if the SAML user has logged in already.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...