Security

Unable To Modify Owner Of Orphaned Scheduled Search

sbair
Explorer

Splunk Version: 6.5.2

I receive a notification for a list of orphaned searches owned by a disabled user. I have changed the owner and restarted Splunk, but it still shows up in the list of orphaned searches and still displays the original owner.

Example:

  • search name: scheduled_search_test
  • owner: oldowner
  • app: sysadmin
  • sharing: user
  • status: enabled

I modified /$SPLUNK_HOME/etc/apps/sysadmin/metadata/local.meta to change "oldowner" to "newowner" and restarted Splunk, but the search still shows up as orphaned and owned by "oldowner". Any suggestions would be greatly appreciated.

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

The exact same saved search name (not necessarily with the same definition or settings) can exist at the app/global level and the user level. Check in SPLUNK_HOME/etc/user/<deleted user> directory for a savedsearches.conf file.

View solution in original post

woodcock
Esteemed Legend

The exact same saved search name (not necessarily with the same definition or settings) can exist at the app/global level and the user level. Check in SPLUNK_HOME/etc/user/<deleted user> directory for a savedsearches.conf file.

sbair
Explorer

Thank you for the additional information - I located the remaining savedsearches in the app folders under the deleted user's directory. I had previously only removed the stanzas from /$SPLUNK_HOME/etc/users/oldowner/local/savedsearches.conf

0 Karma

jagadeeshreddy2
Explorer

"You can try editing the savedsearches.conf ofinvalid user, cut the stanza and paste it in the valid user "..

If the orphaned report has not been shared with other users, it is defined entirely within the savedsearches.conf file at the user level.

Cut the stanza for the search out of the savedsearches.conf file for the invalid user and paste it into the savedsearches.conf file for a valid user.

In the filesystem of your Splunk deployment, open the the savedsearches.conf file for an invalid user at etc/users//search/local/savedsearches.conf.
Locate the stanza for the orphaned scheduled search and cut it out.
Save your changes to the file and close it.
Open the the savedsearches.conf file for a valid user at etc/users//search/local/savedsearches.conf.
Copy the search stanza that you just cut to the savedsearches.conf file for the valid user.
Save your changes to the file and close it.
Restart your Splunk deployment so the changes take effect.

sbair
Explorer

Thank you for the additional information - I located the remaining savedsearches in the app folders under the deleted user's directory. I had previously only removed the stanzas from /$SPLUNK_HOME/etc/users/oldowner/local/savedsearches.conf. Once I moved the remaining stanzas the orphaned searches cleared.

0 Karma

woodcock
Esteemed Legend

This is a correct method. Are you in a Search Head Cluster? Try deleting the local.meta entry entirely. This should cause it to become owned by nobody but it should work just fine.

0 Karma

sbair
Explorer

Thank you for the reply - this is a standalone instance of Splunk. I removed the local.meta file for the app, restarted Splunk, and the orphaned scheduled searches still show up as owned by the deactivated owner.

0 Karma

woodcock
Esteemed Legend

Check for a the same stuff in $SPLUNK_HOME/etc/users/deleteduser/*

0 Karma

DalJeanis
Legend

start by checking on the search head whether the search itself is in the old owner's "local" directory.

0 Karma

sbair
Explorer

Thank you for the reply DalJeanis - I verified that there are no longer any saved searches under /$SPLUNK_HOME/etc/users/oldowner/local/savedsearches.conf, which appears to only affect unshared saved searches.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...