Security

How to run a curl command to reassign an abandoned search?

tkwaller
Builder

Running the curl command noted in the docs:https://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Resolveorphanedsearches

On my search head captain:

curl -k -u uname:pass <host>:<mgmt_port>/servicesNS/<user_context>/<app_context>/saved/searches/<entity_name>/acl -d owner=newOwner -d sharing=user

I get back:

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">User does not exist: user</msg>
  </messages>
</response>

YES I REALIZE THAT
but on my search heads, I can still find that user in SPLUNKHOME/etc/users/

So how can this user exist and not exist and how can I reassign the search?

Thanks!

1 Solution

Masa
Splunk Employee
Splunk Employee
0 Karma

the_wolverine
Champion

Hey all, apparently this was resolved in 6.4.3 .. and in 6.6 reassignment can be done (by admin) in UI.

Masa
Splunk Employee
Splunk Employee

Hope this link helps... (It was tested in v6.3.4 SHC)
http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API

0 Karma

tkwaller
Builder

The problem is still the same. It says the user doesn't exist. Because they do not exist BUT their user path DOES exist via the File System. So I cannot remove anything via the GUI as there's nothing to remove and I can't do it via REST for the same reason.

So the question remains: how do I do this properly in a large clustered environment, we have 34 search heads

what would be the effect of
rm -rf SPLUNKHOME/etc/users/<user_no_longer_here>

Would that work? Would that replicate to the other SH's?
If the saved search goes away it's fine, I can re-crate it

0 Karma

Masa
Splunk Employee
Splunk Employee

It is strange user does not exist happens if you're using admin, user does not matter in general. The objects should be available through SplunkWeb. If not, Splunk is not aware of any objects owned by the user.

  1. Can you make sure you have list of search objects by the user through GUI?
  2. Make sure this by admin
  3. Can you show us full curl command and the output (without password of course)
  4. How about trying to change to app shared?

rm -rf is fine. But, won't be replicated at all.

0 Karma

tkwaller
Builder

So via the GUI there is NOTHING for this user NOR is the search tied to them found. It IS however in the file system which is why it keeps throwing the abandoned search messages.

I am the admin

I cant put it all here as it specific to my place of business but heres MOST of it:

curl -k -u  uname:pass <host>:8089/servicesNS/kmothenkani/stubhub_dashboard/saved/searches/SFR-PDF%20APIs/acl -d owner=tkwaller -d sharing=user

Also tried:

./splunk search 
                 "| rest splunk_server=local /servicesNS/-/-/saved/searches 
                   | table eai:acl.sharing eai:acl.owner id 
                   | rename eai:acl.owner as owner eai:acl.sharing AS sharing  
                   | search owner=kmothekani"
Your session is invalid.  Please login.
Splunk username: admin
Password:
0 Karma

tkwaller
Builder

Just FYI the formatting isn't quite right here but the second search I listed here is straight from the doc you added:
http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API

0 Karma

Masa
Splunk Employee
Splunk Employee

So, Splunk does not see any objects owned by the users. In that case, REST call cannot help.

All you can do is to delete the user directory one by one.

0 Karma

tkwaller
Builder

I am accepting this answer because it IS the correct answer........BUT its not a good resolution, not that I expect anyone to fix it. How is it that Splunk cannot see these users via the GUI but it still sees these users artifacts in their directories.

0 Karma

somesoni2
Revered Legend

So, the user_context is original owner (no longer a valid user), the error that you see is for original user OR newOwner ?

0 Karma

tkwaller
Builder

yes the <user_context> is the old user, the error is for the OLD user, as that user no longer exists but DOES exist in the FS.

The user doesn't exist via splunk web nor does the savedsearch but I CAN find it in SPLUNKHOME/etc/apps/users/<user_context>/

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...