Security
Highlighted

User has left the company, now getting "Could not find user:" errors

Motivator

I've had a few users leave the company now that have had saved searches. Removing the $splunkhome/etc/users/<username> directory doesn't resolve the errors.

If I search for files that contain the login name, I find the following example entry for "tuser"q:
etc/apps/search/local/viewstates.conf:
[viewstates/flashtimeline%3Agu5s5mv8]
owner = tuser
version = 4.2.3
export = system

Is it safe to remove these entries? Is there a better way to remove terminated users?

Tags (1)
Highlighted

Re: User has left the company, now getting "Could not find user:" errors

Motivator

Removing those entries in viewstates.conf doesn't resolve the error either.

0 Karma
Highlighted

Re: User has left the company, now getting "Could not find user:" errors

Builder

Make sure the users not in any meta files either. If you're on a linux machine I'd do the following:

grep -r "username" $SPLUNK_HOME

That'll find all instances of the user name in any configuration files.