Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Inability to delete alerts/reports after LDAP update

Reece
Loves-to-Learn
‎09-24-2024 09:58 AM

Hello,
I recently updated a distributed environment with a bundle via the deployer to update the authentication.conf to have an updated LDAP strategy.  Since then there have been a number of issue with users not being able to delete their knowledge objects which prompted me to try as my Admin user. However this is the error I am receiving when trying to delete via the web ui:

09-24-2024 16:52:13.948 +0000 ERROR SavedSearchAdminHandler [2802356 TcpChannelThread] - This saved search failed to handle removal request due to Object id=<alert/report name> cannot be deleted in config=savedsearches.

I am using Splunk Enterprise version 9.3.0.

0 Karma
Reply

dural_yyz
Motivator
‎09-25-2024 09:04 AM

If you have a search head cluster on prem try electing a new captain to force push a new SHC bundle.

If that doesn't work then more information would be required about how user and roles are working and if you have any thing has changed there.  Is there anything via auth .conf doesn't show up anymore.

0 Karma
Reply

Reece
Loves-to-Learn
‎09-26-2024 06:21 AM

I have elected a new captain in my SH cluster a few times over the course of a couple days to see if there was some type of connection issue b/w specific SHs but still presenting same error. The only changes in auth.conf were the ldap servers, the hosts, the groupings and permissions are all identical. 

0 Karma
Reply
Get Updates on the Splunk Community!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...