Splunk Enterprise Security

Splunk Enterprise Security: How do I Reassign a Splunk ES Correlation Search to a New User?

Path Finder

We have a Splunk ES user who has left and now their correlation searches are orphaned. I am aware of the feature to clone a saved search, but wasn't sure if Splunk ES needed additional steps to ensure the notable and other ES data would be retained with the clone. I tried to clone the correlation search, but this only created a new saved search and not a true correlation search with notable information.

0 Karma
1 Solution

Path Finder

By editing the local.meta file in the various Splunk ES apps (e.g. SA-AuditAndDataProtection) at /opt/splunk/etc/apps/app-name/metadata/local.meta and replacing the disabled owner with the username of an active user, the orphaned searches notification was resolved.

View solution in original post

0 Karma

Path Finder

By editing the local.meta file in the various Splunk ES apps (e.g. SA-AuditAndDataProtection) at /opt/splunk/etc/apps/app-name/metadata/local.meta and replacing the disabled owner with the username of an active user, the orphaned searches notification was resolved.

View solution in original post

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!