Savedsearches for a disabled user



We had an employee leave the company. He had some important searches that seem to be bound to his account somehow.

When I goto Splunk >> Manage >> Searches and reports and filter by owner I can see it's owned by user01. But when I go into the app /opt/splunk/etc/apps/SA-myapp/local/savedsearches.conf i see the search. But I see no ref to it being owned by user01.

The search isn't running and sending alarms as expected when the user01 account is disabled.

I suppose I am asking a couple things here
1) How is ownership of this app determined?
2) What is the best way to move these 30+ savedsearches off of this user?

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

User ownership and rights are persisted in metadata/local.meta or default.meta files. You can move the savedsearches.conf to a new app if you'd like and copy the relevant *.meta entries that correspond to said user into new app's metadata directory. Alternatively, you can simply change the owner in the existing *.meta file.

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!