Splunk Search

Saved Search Owner Gone


If the user who owns a saved search is locked our or deleted, what will become of their saved searches? Do I need to modify the local.meta file, or will the jobs simply become orphaned? If they become orphaned, will they still run?

Tags (3)


If you delete a user, the PRIVATE saved searches owned by the user will be deleted. If the user has SHARED any searches (or other knowledge objects), they will still exist.

The shared knowledge objects will still have the deleted user's name attached to them; they may be deleted by the Splunk admin. However, I don't think there is any mechanism for the Splunk admin to assign the saved searches to another user.


Would be handy if reassign was implemented; in 6.4 orphaned searches are brought to your attention, but the only solution to make it work again is clone to something renamed, remove the original search, and clone to the original name again (and remove the temp clone).

0 Karma

Splunk Employee
Splunk Employee

For those of you on *Nix machines would be able to do something like this:
for x in find . -name 'local.meta'; do cp $x $x.old ; sed s/olduser/newuser/ < $x > $x.new ; mv -f $x.new $x ; done
This will make a backup of the local.meta, swap out the olduser for the newuser and copy it over the local.meta. All you should have to do is restart Splunk.


Although you could do this:

Determine the app that the savedsearch (or tag or eventtype etc) belongs to. Edit the file

Find the item(s) that need to be changed, and update the owner field.

This should change the owner. AFAIK, there is no way to do this from the GUI.

0 Karma


If you delete user, the saved search owned by the user will be deleted. Configuration owned by user is stored in $SPLUNK_HOME/etc/user directory. If you remove the user completely, those configuration will be also removed.

0 Karma

Esteemed Legend

Only those searches that have Private permissions; the ones with App or Global are located elsewhere and will not be deleted but will switch to ownership of nobody.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...