We had an employee leave the company. He had some important searches that seem to be bound to his account somehow.
When I goto Splunk >> Manage >> Searches and reports and filter by owner I can see it's owned by user01. But when I go into the app /opt/splunk/etc/apps/SA-myapp/local/savedsearches.conf i see the search. But I see no ref to it being owned by user01.
The search isn't running and sending alarms as expected when the user01 account is disabled.
I suppose I am asking a couple things here
1) How is ownership of this app determined?
2) What is the best way to move these 30+ savedsearches off of this user?
User ownership and rights are persisted in metadata/local.meta or default.meta files. You can move the savedsearches.conf to a new app if you'd like and copy the relevant *.meta entries that correspond to said user into new app's metadata directory. Alternatively, you can simply change the owner in the existing *.meta file.