Security

How do you find scheduled searches and other knowledge objects that belong to deleted users?

chris
Motivator

Hi

Our Splunk search head uses to the company Active Directory to do authentication & authorization. When a user leaves the company, Splunk will no longer see that user, but the knowledge objects are not deleted (which is good). How can I detect that situation? If the user has scheduled searches they will no longer run->, I would like to find those and either change the user or delete the searches if they are not used anymore.

Regards
Chris

1 Solution

chris
Motivator

Based on woodcocks suggestion I came up with this search:

| rest /servicesNS/-/-/saved/searches | where is_scheduled=1 AND disabled=0 AND next_scheduled_time=""  | fields eai:acl.owner cron_schedule is_scheduled eai:acl.app next_scheduled_time title updated splunk_server disabled

If the search is still active and scheduled but there is no nex_scheduled_time then something is not right.

View solution in original post

chris
Motivator

Based on woodcocks suggestion I came up with this search:

| rest /servicesNS/-/-/saved/searches | where is_scheduled=1 AND disabled=0 AND next_scheduled_time=""  | fields eai:acl.owner cron_schedule is_scheduled eai:acl.app next_scheduled_time title updated splunk_server disabled

If the search is still active and scheduled but there is no nex_scheduled_time then something is not right.

woodcock
Esteemed Legend

Run this on each Search Head:

| rest /servicesNS/-/-/saved/searches | where $eai:acl.owner$="nobody" AND is_scheduled="1"

chris
Motivator

Hi woodcook, good to hear from you. Searching for the user "nobody" did not help on our Installation. I do remember that this worked on other Splunk installations I used to look after. We're running 6.3.1, maybe something changed. You did get me going in the right direction though. I'll post the query as a separate answer.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...