Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk searches from deleted users

rgtsplunk
Explorer
‎10-17-2012 02:19 PM

We can see in our splunkd.log that is showing the following errors:

UserManagerPro - Failed to get LDAP user="xxx" from any configured servers
AuthenticationManagerLDAP - user="xxx" has matching LDAP groups with strategy="yyyy", but none are mapped to Splunk roles

We also get some error messages with 'user="splunk"', but have no user splunk. They are not the same as those run by splunk-system-user.

These users were removed, and should not be running searches. Yet these messages are consistently being reported. We would like to know what searches they apply to, so we can disable the searches, or move them to another user. But the message does not say what searches are running, nor give us any information to go on. Any ideas?

Richard Thomsen

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎12-21-2012 01:55 PM

you're most likely seeing saved searches created by these users that are run on a schedule. to see the owners of saved searches, you can look in Manager > Searches and reports.

once there, you can use the search box on the right to look for those usernames, or filter by app.

to change the owner of a search defined in $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf, edit the ownership and permissions defined in etc/apps/search/metadata/local.meta. you'll need to substitute the app name of any app you're working on for 'search'

you will have to restart splunk to see the change.

View solution in original post

Reply
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎12-21-2012 01:55 PM

you're most likely seeing saved searches created by these users that are run on a schedule. to see the owners of saved searches, you can look in Manager > Searches and reports.

once there, you can use the search box on the right to look for those usernames, or filter by app.

to change the owner of a search defined in $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf, edit the ownership and permissions defined in etc/apps/search/metadata/local.meta. you'll need to substitute the app name of any app you're working on for 'search'

you will have to restart splunk to see the change.

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...