Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk searches from deleted users

rgtsplunk
Explorer
‎10-17-2012 02:19 PM

We can see in our splunkd.log that is showing the following errors:

UserManagerPro - Failed to get LDAP user="xxx" from any configured servers
AuthenticationManagerLDAP - user="xxx" has matching LDAP groups with strategy="yyyy", but none are mapped to Splunk roles

We also get some error messages with 'user="splunk"', but have no user splunk. They are not the same as those run by splunk-system-user.

These users were removed, and should not be running searches. Yet these messages are consistently being reported. We would like to know what searches they apply to, so we can disable the searches, or move them to another user. But the message does not say what searches are running, nor give us any information to go on. Any ideas?

Richard Thomsen

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎12-21-2012 01:55 PM

you're most likely seeing saved searches created by these users that are run on a schedule. to see the owners of saved searches, you can look in Manager > Searches and reports.

once there, you can use the search box on the right to look for those usernames, or filter by app.

to change the owner of a search defined in $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf, edit the ownership and permissions defined in etc/apps/search/metadata/local.meta. you'll need to substitute the app name of any app you're working on for 'search'

you will have to restart splunk to see the change.

View solution in original post

Reply
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎12-21-2012 01:55 PM

you're most likely seeing saved searches created by these users that are run on a schedule. to see the owners of saved searches, you can look in Manager > Searches and reports.

once there, you can use the search box on the right to look for those usernames, or filter by app.

to change the owner of a search defined in $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf, edit the ownership and permissions defined in etc/apps/search/metadata/local.meta. you'll need to substitute the app name of any app you're working on for 'search'

you will have to restart splunk to see the change.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...