Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I find an orphaned search in Splunk 6.4.1?

tweaktubbie
Communicator
‎08-23-2016 01:18 AM

After migrating to 6.4.1, we are now notified of orphaned objects. Cleaned them up or cloned them to new ones, but one remains:

Splunk has found 1 orphaned searches owned by 1 unique disabled users. Click to view the orphaned scheduled searches. Reassign them to a valid user to re-enable or alternatively disable the searches.
I have the admin role and user context/app all, but I'm still not able to locate the user/search name. Is there some way to rebuild any repository or config files? It now seems there's some ghost object in the system.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-23-2016 03:24 AM

from https://answers.splunk.com/answers/418132/orphaned-scheduled-search-doesnt-work.html
please check
| rest splunk_server=local /services/saved/searches add_orphan_field=1
or
| rest splunk_server=local /services/saved/searches
or
| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution

dhruv05
New Member
‎10-13-2017 12:24 PM

Try this..

| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

0 Karma
Reply
Solved! Jump to solution

yahuja_splunk
Splunk Employee
Splunk Employee
‎01-26-2017 11:50 AM

this works in 6.4.4.

| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing
Reply
Solved! Jump to solution

duartet
Path Finder
‎03-23-2018 02:49 AM

Yes that is the most correct answer. Thanks Yahuja.

0 Karma
Reply
Solved! Jump to solution

darlas
Communicator
‎01-26-2017 12:20 PM

Hi.

Thanks for this idea. I get "connection failed with Read timeout" when I run this.

I'm on 6.5.1 so maybe this no longer works in latest version?

0 Karma
Reply
Solved! Jump to solution

christian_l
Path Finder
‎05-16-2017 08:04 AM

Try removing the splunk_server=local within the first | rest query.
This one worked for me:
| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

0 Karma
Reply
Solved! Jump to solution

yahuja_splunk
Splunk Employee
Splunk Employee
‎01-26-2017 12:56 PM

may be. i am not sure.

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎04-08-2017 09:26 PM

@darlas Did you get a solution to this? I upgraded to 6.5.2 and facing the same "connection failed with Read timeout" situation.

0 Karma
Reply
Solved! Jump to solution

darlas
Communicator
‎04-10-2017 09:19 AM

sorry no solution. just living with the orphaned searches for now. sorry to not be of any help to you.

0 Karma
Reply
Solved! Jump to solution

tweaktubbie
Communicator
‎01-27-2017 06:18 AM

works fine here on 6.5.1. does executing the first line only give output? (and yeah first time got the '5.' included in the copy/paste which of course does not work ;))

0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎08-23-2016 03:24 AM

from https://answers.splunk.com/answers/418132/orphaned-scheduled-search-doesnt-work.html
please check
| rest splunk_server=local /services/saved/searches add_orphan_field=1
or
| rest splunk_server=local /services/saved/searches
or
| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

darlas
Communicator
‎01-26-2017 11:30 AM

I tried all 3 commands and none seemed to identify orphaned searches. maybe I am not sure how to interpret the output.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...