Security

Scheduled saved search deleted LDAP user

deeades
New Member

We had a user that setup a scheduled search to run weekly and would send report by email. We are setup for LDAP authentication and this user has left our company and their AD account has been removed. The report is no longer being sent by email. When I attempt to go to the saved search from a previous link I receive "user does not exist: username". The report is also not listed in the Reports List. The report must have had this user listed as the owner. I have come across a few other answers that are somewhat related but have not found a definitive answer to this question. Is this saved search not available any longer or is there a way to retrieve it somehow. I am not sure of the complete search string that was used.

Thanks.

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this search to locate this and other orphaned searches.

| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time actions
| rename eai:acl.owner as owner eai:acl.app as app eai:acl.sharing as sharing

Once you find it you should be able to change the owner, either using the GUI (depending on your Splunk version) or by editing .conf files.
See "Manage orphaned knowledge objects" at http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Resolveorphanedsearches

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Try this search to locate this and other orphaned searches.

| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time actions
| rename eai:acl.owner as owner eai:acl.app as app eai:acl.sharing as sharing

Once you find it you should be able to change the owner, either using the GUI (depending on your Splunk version) or by editing .conf files.
See "Manage orphaned knowledge objects" at http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Resolveorphanedsearches

---
If this reply helps you, Karma would be appreciated.

deeades
New Member

The recommended search came back showing the report I am looking for but I do not see how to change the owner. It comes up on the statistics tab and when I click on the Title or Owner it shows more menu options but they all seem to run further searches. We are on version 6.6.0.

Thanks.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Once you have the name and app go to Settings->All configurations and click the Reassign Knowledge Object button. Select the right app, scroll down to the search in question, and click Reassign. Choose the new owner, click Save, and you're done.

If your Splunk doesn't have the Reassign Knowledge Objects button (I don't have 6.6) then see the documentation link in my answer for other ways to change ownership. The doc explains it better than I could.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...