In our Splunk infra, we have so many developers creating objects. We had just faced a problem when few number of employee left organization and their alerts stopped working as the owner(employee) id was disabled from active directory. Also objects were created using own id's.
We thought of creating a group contains all the developers and share the password with all. So that none of the object will be disabled after user/developer leave company. We did not find it optimal from security point of view. Can anyone suggest for this issue?
So as I'm sure you've found, a Splunk Admin can change Ownership of objects through the REST API as detailed in this answer
So simple options include either be part of the off boarding process and transfer ownership of Splunk objects to another employee. OR have a process by which Splunk objects are "promoted" to be owned by a generic user that no one has to log in as.
At my company I'm pushing to moving to the idea that developers can work within test apps / environments all they want, but to go to production, they need to package custom Splunk App(s) which are managed in source control, peer-reviewed, and installed in appropriate environments by our configuration management solution (Chef). But that's going to take a while to get there 🙂