Why can't admins see private Orphaned Scheduled Se...

SReopelle · ‎05-02-2024

Splunk version is 9.1.0.2

We are trying to resolve searches that are orphaned from the report "Orphaned Scheduled Searches, Reports, and Alerts". The list does not match the what we see under the "Reassign Knowledge Objects" since we resolved all of those.

I am unable to find the searches (I believe they are private) but want to know why I, as an admin, am unable to manage these searches. If anything just to disable them.. Many of the users have since left our company and I need to manage their items.

Please help!!!

tej57 · ‎05-03-2024

Hello @SReopelle,

Additionally, you can try checking the list of KOs in All Configurations page from the Settings menu. You'll be able to find all the knowledge objects there.

Thanks,
Tejas.

tdinesh · ‎05-03-2024

I have seen this behaviour in the past.

It may not be issue with private objects. The IDs must be authenticated viz LDAP or Active directory, And since they left the organisation those IDs would have be permanently removed.

Try creating a local Splunk user account with the same ID and you must able to see all the KOs assigned to that ID. Once you reassign/delete those objects, you can delete the local user account.

SReopelle · ‎05-03-2024

The users are still active in Active Directory, but have not logged in for some time. I would be happy to re-assign them, but there is no option for that in the " Orphaned Scheduled Searches, Reports, and Alerts" report. This is the crux of my problem.

The items are not displayed in the Settings > All Configurations app, or report, or whatever it is called.

Why can't admins see private Orphaned Scheduled Searches, Reports, and Alerts

other

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users