Deleting a user does not delete that user's objects. The user's directory still exists on the filesystem and so all objects should still exist. Now, if you have also deleted the user's directory, then you will of course lose those objects.
You can search the index=_audit for the history of searches run/scheduled by the user. If your history is retained far enough back just search for the user's id and some terms from the alert (if you are able to recall them).
Example:
index=_audit user=the_deleted_user earliest=-60d search=alert string
If there's a match you'll see the exact search string that was scheduled.
See the answer from @Jtrucks, on the similar question. http://answers.splunk.com/answers/100022/what-happens-to-knowledge-objects-once-the-owner-user-is-de...
Search objects will not deleted but will be kept on the file system they were created.
I agree, KOs (including searches in savedsearches.conf
) should not be deleted when a user is deleted in Splunk. His directory in $SPLUNK_HOME/etc/users/YourUserHere/
should still exist and in there should somewhere be at least one savedsearches.conf
file with your payload in it.
You should be able to recreate the alerts (at least salvage the most important part, which is the search string) from the existing Alerts that have not aged out: Activity
-> Triggered Alerts
-> View Results
(you can try Edit Search
but it surely won't work). Do this right away because the search results have a limited TimeToLive (TTL) and will be auto-deleted quickly. If the alert was setup to send an email, you might also get the search string from old emails, too.
In addition, try this search:
index=_audit action=search
But remember that by default _audit
is only available for the last 30 days.
cheers, MuS