Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Unable To Modify Owner Of Orphaned Scheduled S...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Version: 6.5.2
I receive a notification for a list of orphaned searches owned by a disabled user. I have changed the owner and restarted Splunk, but it still shows up in the list of orphaned searches and still displays the original owner.
Example:
- search name: scheduled_search_test
- owner: oldowner
- app: sysadmin
- sharing: user
- status: enabled
I modified /$SPLUNK_HOME/etc/apps/sysadmin/metadata/local.meta to change "oldowner" to "newowner" and restarted Splunk, but the search still shows up as orphaned and owned by "oldowner". Any suggestions would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The exact same saved search name (not necessarily with the same definition or settings) can exist at the app/global level and the user level. Check in SPLUNK_HOME/etc/user/<deleted user> directory for a savedsearches.conf file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The exact same saved search name (not necessarily with the same definition or settings) can exist at the app/global level and the user level. Check in SPLUNK_HOME/etc/user/<deleted user> directory for a savedsearches.conf file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the additional information - I located the remaining savedsearches in the app folders under the deleted user's directory. I had previously only removed the stanzas from /$SPLUNK_HOME/etc/users/oldowner/local/savedsearches.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"You can try editing the savedsearches.conf ofinvalid user, cut the stanza and paste it in the valid user "..
If the orphaned report has not been shared with other users, it is defined entirely within the savedsearches.conf file at the user level.
Cut the stanza for the search out of the savedsearches.conf file for the invalid user and paste it into the savedsearches.conf file for a valid user.
In the filesystem of your Splunk deployment, open the the savedsearches.conf file for an invalid user at etc/users//search/local/savedsearches.conf.
Locate the stanza for the orphaned scheduled search and cut it out.
Save your changes to the file and close it.
Open the the savedsearches.conf file for a valid user at etc/users//search/local/savedsearches.conf.
Copy the search stanza that you just cut to the savedsearches.conf file for the valid user.
Save your changes to the file and close it.
Restart your Splunk deployment so the changes take effect.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the additional information - I located the remaining savedsearches in the app folders under the deleted user's directory. I had previously only removed the stanzas from /$SPLUNK_HOME/etc/users/oldowner/local/savedsearches.conf. Once I moved the remaining stanzas the orphaned searches cleared.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a correct method. Are you in a Search Head Cluster? Try deleting the local.meta entry entirely. This should cause it to become owned by nobody but it should work just fine.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply - this is a standalone instance of Splunk. I removed the local.meta file for the app, restarted Splunk, and the orphaned scheduled searches still show up as owned by the deactivated owner.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check for a the same stuff in $SPLUNK_HOME/etc/users/deleteduser/*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
start by checking on the search head whether the search itself is in the old owner's "local" directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply DalJeanis - I verified that there are no longer any saved searches under /$SPLUNK_HOME/etc/users/oldowner/local/savedsearches.conf, which appears to only affect unshared saved searches.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
