Running the curl command noted in the docs:https://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Resolveorphanedsearches
On my search head captain:
curl -k -u uname:pass <host>:<mgmt_port>/servicesNS/<user_context>/<app_context>/saved/searches/<entity_name>/acl -d owner=newOwner -d sharing=user
I get back:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">User does not exist: user</msg>
</messages>
</response>
YES I REALIZE THAT
but on my search heads, I can still find that user in SPLUNKHOME/etc/users/
So how can this user exist and not exist and how can I reassign the search?
Thanks!
Hope this link helps... (It was tested in v6.3.4 SHC)
http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API
Hey all, apparently this was resolved in 6.4.3 .. and in 6.6 reassignment can be done (by admin) in UI.
Hope this link helps... (It was tested in v6.3.4 SHC)
http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API
The problem is still the same. It says the user doesn't exist. Because they do not exist BUT their user path DOES exist via the File System. So I cannot remove anything via the GUI as there's nothing to remove and I can't do it via REST for the same reason.
So the question remains: how do I do this properly in a large clustered environment, we have 34 search heads
what would be the effect of
rm -rf SPLUNKHOME/etc/users/<user_no_longer_here>
Would that work? Would that replicate to the other SH's?
If the saved search goes away it's fine, I can re-crate it
It is strange user does not exist happens if you're using admin, user does not matter in general. The objects should be available through SplunkWeb. If not, Splunk is not aware of any objects owned by the user.
rm -rf is fine. But, won't be replicated at all.
So via the GUI there is NOTHING for this user NOR is the search tied to them found. It IS however in the file system which is why it keeps throwing the abandoned search messages.
I am the admin
I cant put it all here as it specific to my place of business but heres MOST of it:
curl -k -u uname:pass <host>:8089/servicesNS/kmothenkani/stubhub_dashboard/saved/searches/SFR-PDF%20APIs/acl -d owner=tkwaller -d sharing=user
Also tried:
./splunk search
"| rest splunk_server=local /servicesNS/-/-/saved/searches
| table eai:acl.sharing eai:acl.owner id
| rename eai:acl.owner as owner eai:acl.sharing AS sharing
| search owner=kmothekani"
Your session is invalid. Please login.
Splunk username: admin
Password:
Just FYI the formatting isn't quite right here but the second search I listed here is straight from the doc you added:
http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API
So, Splunk does not see any objects owned by the users. In that case, REST call cannot help.
All you can do is to delete the user directory one by one.
I am accepting this answer because it IS the correct answer........BUT its not a good resolution, not that I expect anyone to fix it. How is it that Splunk cannot see these users via the GUI but it still sees these users artifacts in their directories.
So, the user_context is original owner (no longer a valid user), the error that you see is for original user OR newOwner ?
yes the <user_context>
is the old user, the error is for the OLD user, as that user no longer exists but DOES exist in the FS.
The user doesn't exist via splunk web nor does the savedsearch but I CAN find it in SPLUNKHOME/etc/apps/users/<user_context>/