Solved: Re: Unable To Modify Owner Of Orphaned Scheduled S...

sbair · ‎06-20-2018

Splunk Version: 6.5.2

I receive a notification for a list of orphaned searches owned by a disabled user. I have changed the owner and restarted Splunk, but it still shows up in the list of orphaned searches and still displays the original owner.

Example:

search name: scheduled_search_test
owner: oldowner
app: sysadmin
sharing: user
status: enabled

I modified /$SPLUNK_HOME/etc/apps/sysadmin/metadata/local.meta to change "oldowner" to "newowner" and restarted Splunk, but the search still shows up as orphaned and owned by "oldowner". Any suggestions would be greatly appreciated.

woodcock · ‎07-06-2018

The exact same saved search name (not necessarily with the same definition or settings) can exist at the app/global level and the user level. Check in SPLUNK_HOME/etc/user/<deleted user> directory for a savedsearches.conf file.

View solution in original post

woodcock · ‎07-06-2018

The exact same saved search name (not necessarily with the same definition or settings) can exist at the app/global level and the user level. Check in SPLUNK_HOME/etc/user/<deleted user> directory for a savedsearches.conf file.

sbair · ‎07-09-2018

Thank you for the additional information - I located the remaining savedsearches in the app folders under the deleted user's directory. I had previously only removed the stanzas from /$SPLUNK_HOME/etc/users/oldowner/local/savedsearches.conf

jagadeeshreddy2 · ‎07-05-2018

"You can try editing the savedsearches.conf ofinvalid user, cut the stanza and paste it in the valid user "..

If the orphaned report has not been shared with other users, it is defined entirely within the savedsearches.conf file at the user level.

Cut the stanza for the search out of the savedsearches.conf file for the invalid user and paste it into the savedsearches.conf file for a valid user.

In the filesystem of your Splunk deployment, open the the savedsearches.conf file for an invalid user at etc/users//search/local/savedsearches.conf.
Locate the stanza for the orphaned scheduled search and cut it out.
Save your changes to the file and close it.
Open the the savedsearches.conf file for a valid user at etc/users//search/local/savedsearches.conf.
Copy the search stanza that you just cut to the savedsearches.conf file for the valid user.
Save your changes to the file and close it.
Restart your Splunk deployment so the changes take effect.

sbair · ‎07-09-2018

Thank you for the additional information - I located the remaining savedsearches in the app folders under the deleted user's directory. I had previously only removed the stanzas from /$SPLUNK_HOME/etc/users/oldowner/local/savedsearches.conf. Once I moved the remaining stanzas the orphaned searches cleared.

woodcock · ‎06-30-2018

This is a correct method. Are you in a Search Head Cluster? Try deleting the local.meta entry entirely. This should cause it to become owned by nobody but it should work just fine.

sbair · ‎07-05-2018

Thank you for the reply - this is a standalone instance of Splunk. I removed the local.meta file for the app, restarted Splunk, and the orphaned scheduled searches still show up as owned by the deactivated owner.

woodcock · ‎07-05-2018

Check for a the same stuff in $SPLUNK_HOME/etc/users/deleteduser/*

DalJeanis · ‎06-20-2018

start by checking on the search head whether the search itself is in the old owner's "local" directory.

sbair · ‎06-20-2018

Thank you for the reply DalJeanis - I verified that there are no longer any saved searches under /$SPLUNK_HOME/etc/users/oldowner/local/savedsearches.conf, which appears to only affect unshared saved searches.

Unable To Modify Owner Of Orphaned Scheduled Search

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?