Splunk Search

How to delete or disable the orphaned searches?

Harish2
Path Finder

i have few orphaned searches, which i need to reassign or disable or delete it. i am not able to do any of these.

1. The orphaned searches which can see in  splunk/app/search/orphaned_scheduled_searches..............
here the sharing is in user level.
but i am not able to see the same  in  settings>All configurations>Reassign Knowledge objects.
when i search the alert name by selecting the orphaned i am not getting any results.

2. When i checked the owner name in internal index it is showing that user has been disabled.

Now how can i reassign or disable or delete this searches.
is there any chance to do via CLI.
please help on this.

Labels (1)
0 Karma
1 Solution

yeahnah
Motivator

Hi @Harish2 

It's simple enough via the UI - try on a test system to become familiar.

Depending on the version of Splunk you have, the add new user steps may be slightly different.  The best place to to look is via the excellent Splunk documentation.  Here's a link to the latest version (assuming Splunk Enterprise).

https://docs.splunk.com/Documentation/Splunk/9.0.3/Security/Addandeditusers

Select the relevant Splunk version (UI: Help > About) at the top of the doc and give it a go.  

Note: You may need to look at an existing user to see what Splunk roles the new user needs.

 

View solution in original post

yeahnah
Motivator

Hi @Harish2 

Yes, private scheduled searches can be a pain to share/disable.  

I assume you are a Splunk admin on your platform.  You could try and find the saved search under Settings > Searches, reports, and alerts.  This sometimes works.

If it does show there then a Splunk admin should be able to disable or share the saved search.  Once shared you should also be able to reassign ownership under Reassign Knowledge objects.

In my environment, authentication is LDAP based.  When a user is removed (no longer appears under Settings > Users) we sometimes have to create a temp local user, with the exact same username, log on as that user and then disable/share their private saved search.  Once done the temp local user can be deleted again.

Hope this helps   

0 Karma

Harish2
Path Finder

hi @yeahnah 
If it does show there then a Splunk admin should be able to disable or share the saved search.  Once shared you should also be able to reassign ownership under Reassign Knowledge objects.---> here also i am not able to see the orphaned  alerts  to disable or reassign

In my environment, authentication is LDAP based.  When a user is removed (no longer appears under Settings > Users) we sometimes have to create a temp local user, with the exact same username, log on as that user and then disable/share their private saved search.  Once done the temp local user can be deleted again.---> yes i am an admin, but i am not sure how to create this user and delete again
can you please provide complete steps to do this activity.

0 Karma

yeahnah
Motivator

Hi @Harish2 

It's simple enough via the UI - try on a test system to become familiar.

Depending on the version of Splunk you have, the add new user steps may be slightly different.  The best place to to look is via the excellent Splunk documentation.  Here's a link to the latest version (assuming Splunk Enterprise).

https://docs.splunk.com/Documentation/Splunk/9.0.3/Security/Addandeditusers

Select the relevant Splunk version (UI: Help > About) at the top of the doc and give it a go.  

Note: You may need to look at an existing user to see what Splunk roles the new user needs.

 

Harish2
Path Finder

hi @yeahnah , Thanks for your help, it really worked.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...