Splunk Search

How do I find an orphaned search in Splunk 6.4.1?

tweaktubbie
Communicator

After migrating to 6.4.1, we are now notified of orphaned objects. Cleaned them up or cloned them to new ones, but one remains:

Splunk has found 1 orphaned searches owned by 1 unique disabled users. Click to view the orphaned scheduled searches. Reassign them to a valid user to re-enable or alternatively disable the searches.
I have the admin role and user context/app all, but I'm still not able to locate the user/search name. Is there some way to rebuild any repository or config files? It now seems there's some ghost object in the system.

0 Karma
1 Solution

inventsekar
SplunkTrust
SplunkTrust

from https://answers.splunk.com/answers/418132/orphaned-scheduled-search-doesnt-work.html
please check
| rest splunk_server=local /services/saved/searches add_orphan_field=1
or
| rest splunk_server=local /services/saved/searches
or
| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

dhruv05
New Member

Try this..

| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

0 Karma

yahuja_splunk
Splunk Employee
Splunk Employee

this works in 6.4.4.

| rest splunk_server=local /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

duartet
Path Finder

Yes that is the most correct answer. Thanks Yahuja.

0 Karma

darlas
Communicator

Hi.

Thanks for this idea. I get "connection failed with Read timeout" when I run this.

I'm on 6.5.1 so maybe this no longer works in latest version?

0 Karma

christian_l
Path Finder

Try removing the splunk_server=local within the first | rest query.
This one worked for me:
| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0
| search orphan=1 disabled=0 is_scheduled=1
| eval status = if(disabled = 0, "enabled", "disabled")
| fields title eai:acl.owner eai:acl.app eai:acl.sharing orphan status is_scheduled cron_schedule next_scheduled_time next_scheduled_time actions
| rename title AS "search name" eai:acl.owner AS owner eai:acl.app AS app eai:acl.sharing AS sharing

0 Karma

yahuja_splunk
Splunk Employee
Splunk Employee

may be. i am not sure.

0 Karma

pradeepkumarg
Influencer

@darlas Did you get a solution to this? I upgraded to 6.5.2 and facing the same "connection failed with Read timeout" situation.

0 Karma

darlas
Communicator

sorry no solution. just living with the orphaned searches for now. sorry to not be of any help to you.

0 Karma

tweaktubbie
Communicator

works fine here on 6.5.1. does executing the first line only give output? (and yeah first time got the '5.' included in the copy/paste which of course does not work ;))

0 Karma

inventsekar
SplunkTrust
SplunkTrust

from https://answers.splunk.com/answers/418132/orphaned-scheduled-search-doesnt-work.html
please check
| rest splunk_server=local /services/saved/searches add_orphan_field=1
or
| rest splunk_server=local /services/saved/searches
or
| rest /servicesNS/-/-/saved/searches add_orphan_field=yes count=0

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

darlas
Communicator

I tried all 3 commands and none seemed to identify orphaned searches. maybe I am not sure how to interpret the output.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...