Reporting

User departure causes summary indexes to not schedule

crhyne
Engager

I have a dashboard that depends on multiple summary indexes, all of which have global permissions. The summary indexes are owned by user no longer in our Splunk system. When I attempt to enable these indexes, they disable at the next scheduled run. I have admin privileges, but I don't see how I can change the owner without re-creating the searches (there are too many to do this).

  1. Why won't Splunk run scheduled searches because they were created by a former user?
  2. Is there a relatively painless way to change the owner? I'm guessing there is a file on the server that can be edited, but why not an in-app solution?

I'm running 4.1.5 and need a fix without upgrading to 4.2 (which doesn't appear to have fixed the problem).

1 Solution

jbsplunk
Splunk Employee
Splunk Employee

I talked about a similar issue here:

http://splunk-base.splunk.com/answers/10946/authorizationfailed-http-403-when-clicking-on-the-link-i...

The fix is to update local.meta with the new owner of the search.

The search won't run because the former user does not exist, hence the permissions that the non existent user has don't allow the search to run. I can't answer as to why this isn't in the product, but I have a defect filed on the behavior that will be turned into a feature like this in the future. Seems to me that you should be able to change ownership via the UI to specific users, at least with users assigned to the admin role.

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

I talked about a similar issue here:

http://splunk-base.splunk.com/answers/10946/authorizationfailed-http-403-when-clicking-on-the-link-i...

The fix is to update local.meta with the new owner of the search.

The search won't run because the former user does not exist, hence the permissions that the non existent user has don't allow the search to run. I can't answer as to why this isn't in the product, but I have a defect filed on the behavior that will be turned into a feature like this in the future. Seems to me that you should be able to change ownership via the UI to specific users, at least with users assigned to the admin role.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...