Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can we find all the searches, Alerts, Dashboard and ... created (saved) by a user?

KooroshFooladba
Explorer
‎09-17-2014 08:18 AM

The user has left the company and has been removed from Active Directory (LDAP) he owns several searches, dashboards and ...
We need to assign it to other existing user. Currently when we restart the serachheads we get lots of error messages regarding user does not exist.

Tags (1)
Reply

mparks11
Path Finder
‎05-28-2015 08:03 AM

We've run into this as well. Our solution has been to (in the WebUI) look at Settings --> All Configurations --> Select "All" App context and then either search for the user ID of the user that's been removed, or select that user ID from the "Owner" drop down. From there you can see the items that are owned by that user, and the App context under which they exist. At that point it's a matter of still changing the metadata/local.meta file for each App. Once complete, running a debug/refresh (http[s]://[yoursplunkserver]:[splunk port]/en-US[or your locale]/debug/refresh) has worked sufficiently if a Splunk restart isn't possible.

If you've found a better solution please share!

Reply

LewisWheeler
Communicator
‎12-22-2015 09:25 AM

Good alternative to restart here! Shame I can't get it to work with a curl command. I assume it needs a session first.

0 Karma
Reply

stanhoener
Engager
‎01-23-2018 03:23 PM

Create a non-ldap name that is a duplicate of the user that has left the company.
Give this admin privileges.
Log in with that id and change the objects however you want.
When your done, remember to remove that old id.

0 Karma
Reply

KooroshFooladba
Explorer
‎09-17-2014 09:43 AM

following is a sample of the error we get during the restart of Splunk,
09-13-2014 11:29:32.679 -0400 ERROR AuthenticationManagerLDAP - Could not find user="USERNAME" with strategy="COMPANY_ActiveDirectory"
09-13-2014 11:29:32.680 -0400 ERROR UserManagerPro - Failed to get LDAP user="USERNAME" from any configured servers
09-13-2014 11:29:40.881 -0400 INFO TcpOutputProc - Connected to idx=xxx.xxx.xxx.xxx:9997

0 Karma
Reply

Ant1D
Motivator
‎09-17-2014 09:14 AM

Hi Koorosh, can you edit your question to include an example error message that you are receiving?

You might be able to change the owner of the objects by editing the local.meta file in the Splunk App where these objects reside. There will be a line (owner = ) under each object.
For example if you created dashboards etc inside the default search app, there would be a corresponding $SPLUNK_HOME/etc/apps/search/metadata/local.meta file containing information about the owners of your savedsearches, dashboards (views) etc. which you can amend.

To be safe, make sure that you copy this file before making any changes.

0 Karma
Reply

KooroshFooladba
Explorer
‎09-17-2014 09:50 AM

Regarding what you have mentioned for changing the owner in $SPLUNK_HOME/etc/apps/search/metadata/local.meta file, I already knew that file but I believe there are other files that need to be updated as well for example "$SPLUNK_HOME/etc/apps/APPS/metadata/local.meta.
by APPS I meant the apps that user is part of and has shared some of his searches or dashboards and ...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...