I have a dashboard that depends on multiple summary indexes, all of which have global permissions. The summary indexes are owned by user no longer in our Splunk system. When I attempt to enable these indexes, they disable at the next scheduled run. I have admin privileges, but I don't see how I can change the owner without re-creating the searches (there are too many to do this).
I'm running 4.1.5 and need a fix without upgrading to 4.2 (which doesn't appear to have fixed the problem).
I talked about a similar issue here:
The fix is to update local.meta with the new owner of the search.
The search won't run because the former user does not exist, hence the permissions that the non existent user has don't allow the search to run. I can't answer as to why this isn't in the product, but I have a defect filed on the behavior that will be turned into a feature like this in the future. Seems to me that you should be able to change ownership via the UI to specific users, at least with users assigned to the admin role.
I talked about a similar issue here:
The fix is to update local.meta with the new owner of the search.
The search won't run because the former user does not exist, hence the permissions that the non existent user has don't allow the search to run. I can't answer as to why this isn't in the product, but I have a defect filed on the behavior that will be turned into a feature like this in the future. Seems to me that you should be able to change ownership via the UI to specific users, at least with users assigned to the admin role.