Our Splunk search head uses to the company Active Directory to do authentication & authorization. When a user leaves the company, Splunk will no longer see that user, but the knowledge objects are not deleted (which is good). How can I detect that situation? If the user has scheduled searches they will no longer run->, I would like to find those and either change the user or delete the searches if they are not used anymore.
Hi woodcook, good to hear from you. Searching for the user "nobody" did not help on our Installation. I do remember that this worked on other Splunk installations I used to look after. We're running 6.3.1, maybe something changed. You did get me going in the right direction though. I'll post the query as a separate answer.