Splunk Enterprise

Disabled/Deleted users are appearing in Investigators Panel in Enterpriser Security

vr2312
Builder

Currently on Splunk ES 7.3.2 Splunk Enterprise Security  where i can see users, who used to be part of the organisation, but are now deleted/disabled (in Splunk) are still populating when i try to assign new investigations to other current members of the organisation

For instance, Incident Review -> Notable -> Create Investigation

In the investigation panel, when i try to assign the investigation to other members of the team, i can also see disabled/deleted accounts/users/members as an option to assign the investigation to.

Any way we can remove these members from populating so that the list of investigators replicate the current numbers we have in the team.

Labels (1)
0 Karma
1 Solution

vr2312
Builder

Adding the solution to this so that it can help others. 

The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators.

  1. Navigate to the app "Splunk App for Lookup File Editing" for editing the KV Store.
  2. On the Lookups page, find the “user_realnames_lookup” file and edit it
  3. Delete the users who are not part of the organization currently. To Delete, select any cell in the table and right click you will see options to delete the selected rows if needed.
  4. Ensure that the profiles no longer appear in the investigators section after the lookup update.

View solution in original post

0 Karma

vr2312
Builder

Adding the solution to this so that it can help others. 

The names of the investigators are populated in the KV Store, user_realnames, Here are steps that needs to be taken for removing the old investigators.

  1. Navigate to the app "Splunk App for Lookup File Editing" for editing the KV Store.
  2. On the Lookups page, find the “user_realnames_lookup” file and edit it
  3. Delete the users who are not part of the organization currently. To Delete, select any cell in the table and right click you will see options to delete the selected rows if needed.
  4. Ensure that the profiles no longer appear in the investigators section after the lookup update.
0 Karma

fahimeh
Explorer

I have the same problem
What did you do to solve it?

0 Karma

vr2312
Builder

Hi @fahimeh , i just added the solution to this on to the post. Please upvote for more reach 🙂 

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...