Inability to delete alerts/reports after LDAP upda...

Reece · ‎09-24-2024

Hello,
I recently updated a distributed environment with a bundle via the deployer to update the authentication.conf to have an updated LDAP strategy. Since then there have been a number of issue with users not being able to delete their knowledge objects which prompted me to try as my Admin user. However this is the error I am receiving when trying to delete via the web ui:

09-24-2024 16:52:13.948 +0000 ERROR SavedSearchAdminHandler [2802356 TcpChannelThread] - This saved search failed to handle removal request due to Object id=<alert/report name> cannot be deleted in config=savedsearches.

I am using Splunk Enterprise version 9.3.0.

dural_yyz · ‎09-25-2024

If you have a search head cluster on prem try electing a new captain to force push a new SHC bundle.

If that doesn't work then more information would be required about how user and roles are working and if you have any thing has changed there. Is there anything via auth .conf doesn't show up anymore.

Reece · ‎09-26-2024

I have elected a new captain in my SH cluster a few times over the course of a couple days to see if there was some type of connection issue b/w specific SHs but still presenting same error. The only changes in auth.conf were the ldap servers, the hosts, the groupings and permissions are all identical.

Inability to delete alerts/reports after LDAP update

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation