Security

How do you find scheduled searches and other knowledge objects that belong to deleted users?

chris
Motivator

Hi

Our Splunk search head uses to the company Active Directory to do authentication & authorization. When a user leaves the company, Splunk will no longer see that user, but the knowledge objects are not deleted (which is good). How can I detect that situation? If the user has scheduled searches they will no longer run->, I would like to find those and either change the user or delete the searches if they are not used anymore.

Regards
Chris

1 Solution

chris
Motivator

Based on woodcocks suggestion I came up with this search:

| rest /servicesNS/-/-/saved/searches | where is_scheduled=1 AND disabled=0 AND next_scheduled_time=""  | fields eai:acl.owner cron_schedule is_scheduled eai:acl.app next_scheduled_time title updated splunk_server disabled

If the search is still active and scheduled but there is no nex_scheduled_time then something is not right.

View solution in original post

chris
Motivator

Based on woodcocks suggestion I came up with this search:

| rest /servicesNS/-/-/saved/searches | where is_scheduled=1 AND disabled=0 AND next_scheduled_time=""  | fields eai:acl.owner cron_schedule is_scheduled eai:acl.app next_scheduled_time title updated splunk_server disabled

If the search is still active and scheduled but there is no nex_scheduled_time then something is not right.

View solution in original post

woodcock
Esteemed Legend

Run this on each Search Head:

| rest /servicesNS/-/-/saved/searches | where $eai:acl.owner$="nobody" AND is_scheduled="1"

chris
Motivator

Hi woodcook, good to hear from you. Searching for the user "nobody" did not help on our Installation. I do remember that this worked on other Splunk installations I used to look after. We're running 6.3.1, maybe something changed. You did get me going in the right direction though. I'll post the query as a separate answer.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.