Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there any way to find and restore alerts that were created by a user whose account was deleted?

sdbandara
Engager
‎08-18-2015 01:41 AM

We have a lot of Splunk alerts that some users Created in the related app. Now their account is gone and we have alerts that are missing from the Splunk. Is there any way to find out which ones are missing and restore those?

Thanks 🙂

Tags (2)
0 Karma
Reply

the_wolverine
Champion
‎08-20-2015 12:19 PM

Deleting a user does not delete that user's objects. The user's directory still exists on the filesystem and so all objects should still exist. Now, if you have also deleted the user's directory, then you will of course lose those objects.

You can search the index=_audit for the history of searches run/scheduled by the user. If your history is retained far enough back just search for the user's id and some terms from the alert (if you are able to recall them).

Example:
index=_audit user=the_deleted_user earliest=-60d search=alert string

If there's a match you'll see the exact search string that was scheduled.

0 Karma
Reply

somesoni2
Revered Legend
‎08-20-2015 11:25 AM

See the answer from @Jtrucks, on the similar question. http://answers.splunk.com/answers/100022/what-happens-to-knowledge-objects-once-the-owner-user-is-de...

Search objects will not deleted but will be kept on the file system they were created.

Reply

woodcock
Esteemed Legend
‎03-13-2018 10:43 AM

I agree, KOs (including searches in savedsearches.conf) should not be deleted when a user is deleted in Splunk. His directory in $SPLUNK_HOME/etc/users/YourUserHere/ should still exist and in there should somewhere be at least one savedsearches.conf file with your payload in it.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-20-2015 09:59 AM

You should be able to recreate the alerts (at least salvage the most important part, which is the search string) from the existing Alerts that have not aged out: Activity -> Triggered Alerts -> View Results (you can try Edit Search but it surely won't work). Do this right away because the search results have a limited TimeToLive (TTL) and will be auto-deleted quickly. If the alert was setup to send an email, you might also get the search string from old emails, too.

Reply

MuS
Legend
‎08-20-2015 11:04 AM

In addition, try this search:

index=_audit action=search

But remember that by default _audit is only available for the last 30 days.

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...