Splunk Enterprise

Should we reassign orphaned searches to the Splunk admin account?

Gregski11
Contributor

our main Splunk administrator retired and we since disabled his Active Directory account which he used to create and manage hundreds of Splunk searches, now listed as Orphaned under Settings \ All Configurations \ Reassign Knowledge Objects \ Orphaned

we have the option of reassigning these searches to other Domain Accounts belonging to regular Splunk non admin users, or to the built in default Splunk admin account which is a local account on the box with no Domain permissions, so the question is should we do that since there is also this Warning:

Knowledge object ownership changes can have side effects such as giving saved searches access to previously inaccessible data or making previously available knowledge objects unavailable. Review your knowledge objects before you reassign them.

Running Splunk version 9.0.0 on the Microsoft Windows platform 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

A better approach, IMO, is to create a service account and reassign the old admin's KO to the new account.  Give the service account the same role(s) as the old admin and there should be no worries about access.

Using a service account means you don't have to go through this exercise again when the new owner leaves.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

A better approach, IMO, is to create a service account and reassign the old admin's KO to the new account.  Give the service account the same role(s) as the old admin and there should be no worries about access.

Using a service account means you don't have to go through this exercise again when the new owner leaves.

---
If this reply helps you, Karma would be appreciated.

Gregski11
Contributor

this is verbatim what I said in our staff meeting this morning, great minds, great minds indeed

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...