Hi
Our Splunk search head uses to the company Active Directory to do authentication & authorization. When a user leaves the company, Splunk will no longer see that user, but the knowledge objects are not deleted (which is good). How can I detect that situation? If the user has scheduled searches they will no longer run->, I would like to find those and either change the user or delete the searches if they are not used anymore.
Regards
Chris
Based on woodcocks suggestion I came up with this search:
| rest /servicesNS/-/-/saved/searches | where is_scheduled=1 AND disabled=0 AND next_scheduled_time="" | fields eai:acl.owner cron_schedule is_scheduled eai:acl.app next_scheduled_time title updated splunk_server disabled
If the search is still active and scheduled but there is no nex_scheduled_time then something is not right.
Based on woodcocks suggestion I came up with this search:
| rest /servicesNS/-/-/saved/searches | where is_scheduled=1 AND disabled=0 AND next_scheduled_time="" | fields eai:acl.owner cron_schedule is_scheduled eai:acl.app next_scheduled_time title updated splunk_server disabled
If the search is still active and scheduled but there is no nex_scheduled_time then something is not right.
Run this on each Search Head:
| rest /servicesNS/-/-/saved/searches | where $eai:acl.owner$="nobody" AND is_scheduled="1"
Hi woodcook, good to hear from you. Searching for the user "nobody" did not help on our Installation. I do remember that this worked on other Splunk installations I used to look after. We're running 6.3.1, maybe something changed. You did get me going in the right direction though. I'll post the query as a separate answer.