Solved: How to delete or disable the orphaned searches?

Harish2 · ‎01-17-2023

i have few orphaned searches, which i need to reassign or disable or delete it. i am not able to do any of these.

1. The orphaned searches which can see in splunk/app/search/orphaned_scheduled_searches..............
here the sharing is in user level.
but i am not able to see the same in settings>All configurations>Reassign Knowledge objects.
when i search the alert name by selecting the orphaned i am not getting any results.

2. When i checked the owner name in internal index it is showing that user has been disabled.

Now how can i reassign or disable or delete this searches.
is there any chance to do via CLI.
please help on this.

yeahnah · ‎01-17-2023

Hi @Harish2

It's simple enough via the UI - try on a test system to become familiar.

Depending on the version of Splunk you have, the add new user steps may be slightly different. The best place to to look is via the excellent Splunk documentation. Here's a link to the latest version (assuming Splunk Enterprise).

https://docs.splunk.com/Documentation/Splunk/9.0.3/Security/Addandeditusers

Select the relevant Splunk version (UI: Help > About) at the top of the doc and give it a go.

Note: You may need to look at an existing user to see what Splunk roles the new user needs.

View solution in original post

yeahnah · ‎01-17-2023

Hi @Harish2

Yes, private scheduled searches can be a pain to share/disable.

I assume you are a Splunk admin on your platform. You could try and find the saved search under Settings > Searches, reports, and alerts. This sometimes works.

If it does show there then a Splunk admin should be able to disable or share the saved search. Once shared you should also be able to reassign ownership under Reassign Knowledge objects.

In my environment, authentication is LDAP based. When a user is removed (no longer appears under Settings > Users) we sometimes have to create a temp local user, with the exact same username, log on as that user and then disable/share their private saved search. Once done the temp local user can be deleted again.

Hope this helps

Harish2 · ‎01-17-2023

hi @yeahnah
If it does show there then a Splunk admin should be able to disable or share the saved search. Once shared you should also be able to reassign ownership under Reassign Knowledge objects.---> here also i am not able to see the orphaned alerts to disable or reassign

In my environment, authentication is LDAP based. When a user is removed (no longer appears under Settings > Users) we sometimes have to create a temp local user, with the exact same username, log on as that user and then disable/share their private saved search. Once done the temp local user can be deleted again.---> yes i am an admin, but i am not sure how to create this user and delete again
can you please provide complete steps to do this activity.

yeahnah · ‎01-17-2023

Hi @Harish2

It's simple enough via the UI - try on a test system to become familiar.

Depending on the version of Splunk you have, the add new user steps may be slightly different. The best place to to look is via the excellent Splunk documentation. Here's a link to the latest version (assuming Splunk Enterprise).

https://docs.splunk.com/Documentation/Splunk/9.0.3/Security/Addandeditusers

Select the relevant Splunk version (UI: Help > About) at the top of the doc and give it a go.

Note: You may need to look at an existing user to see what Splunk roles the new user needs.

Harish2 · ‎01-19-2023

hi @yeahnah , Thanks for your help, it really worked.

How to delete or disable the orphaned searches?

metadata

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...