- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: Why are we getting alerts for a disabled user?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are we getting alerts for a disabled user?
Hi there,
One of my colleague having admin access has created a dashboard for audit to know that who logged into Splunk and how many times does the user login into Splunk for the last 7 days for all the users. One of the users left the organization in January and we deleted the account with admin login and transferred all the knowledge objects to the other user also but Now we are seeing his name in the dashboard and alerts were triggering on his name also. We have again checked the user list but his name was not available, but we are still seeing his name in the alerts and dashboard. Can anyone help me with it…
the search query used for creating the dashboard is
index=_internal sourcetype=splunkd_access | timechart span=6h count by user
The Raw Event displaying while searching the query is:
127.0.0.1 - name of the user* [28/Mar/2022:05:28:17.505 +0000] "POST /servicesNS/nobody/search/saved/searches/Single%20User%20Failed%20Attempt/notify?trigger.condition_state=1 HTTP/1.1" 200 1933 "-" "Splunk/8.1.0 (Linux 4.15.0-1023-azure; arch=x86_64)" - 2ms
Please help me to resolve it and thanks in advance......
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Mohanveera1
Login with admin account.
- Go To setting
- Server Setting (under System)
- Click on Email settings
- Check value for "Send emails as" (under Email Format)
You can also disable Alert by doing this:
Setting -> Searches, reports, and alerts -> <Search alert> -> under ACTION tab -> disable
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for responding to my query. As per your instruction, i have checked the Send emails as in Email Settings, and previously we have set a mail id i.e *****@***. For every alerts that is triggered we have given the triggered action as send mail to the receipts. so if an alert triggers we will receive the mail from mail address *****@*** . if i remove the Send emails as (Value) from the Email settings then we cannot receive the mail. And in the Send emails as (value) in Email Settings also the mail id is not the user that left the organization its other mail id and there is no relation between these two.
And Next step is to disable the alert, i have reassigned all the knowledge objects of the user that left the organization to my name. And there is no alert on his name to disable it also....
Please help me to get it resolved, Thanks in advance...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you want exactly with alert?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you don't want to see his name in the dashboard then change in
<SPLUNK_HOME>/etc/apps/<APP_NAME>/default/data/ui/views/*.xml
and if you don't want to see alerts were triggering on his name then change in :
savedsearches.conf
<SPLUNK_HOME>/etc/apps/<APP_NAME>/default/savedsearches.conf That's it.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
