hi
we have Splunk connected to Active Directory and we cannot add local users so we cannot reassign orphaned searches in order to delete them.
is there a way to delete them without reassigning them??
thanks
Any user with admin
role should be able to delete them. You definitely should have at least 1 admin.
You can manually edit savedsearches.conf and local.meta to remove the stanzas.
You will need to identify the app that has these searches, to locate the appropriate configuration files.
Be sure to take a backup first!