Unfortunately, I just discovered that,
1. There is a known bug which prevents you from seeing the macros
2. This method only works for public knowledge objects, not private if the user no longer has access.
In that case, as indicated in the doc, you will have to temporarily recreate the user.
Also note that this behavior is observed in search head clusters.
All true statements. For this situation, I cobbled together a bash script to hit up all meta files and use sed to replace olduser with newuser, then move the olduser directory from $splunk/etc/users to a safe place for backup. You'll then need to clear search history for the user cuz for some reasons the scheduler will see that and try to auth non-existent users. Finally, restart splunk.
The search history clean:
echo removing $ORIGOWNER from SavedSearchHistory collection cuz bug SPL-134750
for sid in `splunk _internal call /servicesNS/nobody/system/storage/collections/data/SavedSearchHistory/ \
| grep $ORIGOWNER | cut -d'"' -f 4 | xxd -plain | tr -d '\n' | sed 's/(..)/%\1/g' | sed -e 's/%0a/\n/g'`
splunk _internal call /servicesNS/nobody/system/storage/collections/data/SavedSearchHistory/$sid -method DELETE
EDIT: Well that was clobbered. hopefully decipherable
Refer this accepted answer:
Let me know if this helps!!