- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- How to run a curl command to reassign an abandoned...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Running the curl command noted in the docs:https://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Resolveorphanedsearches
On my search head captain:
curl -k -u uname:pass <host>:<mgmt_port>/servicesNS/<user_context>/<app_context>/saved/searches/<entity_name>/acl -d owner=newOwner -d sharing=user
I get back:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">User does not exist: user</msg>
</messages>
</response>
YES I REALIZE THAT
but on my search heads, I can still find that user in SPLUNKHOME/etc/users/
So how can this user exist and not exist and how can I reassign the search?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hope this link helps... (It was tested in v6.3.4 SHC)
http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey all, apparently this was resolved in 6.4.3 .. and in 6.6 reassignment can be done (by admin) in UI.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hope this link helps... (It was tested in v6.3.4 SHC)
http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is still the same. It says the user doesn't exist. Because they do not exist BUT their user path DOES exist via the File System. So I cannot remove anything via the GUI as there's nothing to remove and I can't do it via REST for the same reason.
So the question remains: how do I do this properly in a large clustered environment, we have 34 search heads
what would be the effect of
rm -rf SPLUNKHOME/etc/users/<user_no_longer_here>
Would that work? Would that replicate to the other SH's?
If the saved search goes away it's fine, I can re-crate it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is strange user does not exist happens if you're using admin, user does not matter in general. The objects should be available through SplunkWeb. If not, Splunk is not aware of any objects owned by the user.
- Can you make sure you have list of search objects by the user through GUI?
- Make sure this by admin
- Can you show us full curl command and the output (without password of course)
- How about trying to change to app shared?
rm -rf is fine. But, won't be replicated at all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So via the GUI there is NOTHING for this user NOR is the search tied to them found. It IS however in the file system which is why it keeps throwing the abandoned search messages.
I am the admin
I cant put it all here as it specific to my place of business but heres MOST of it:
curl -k -u uname:pass <host>:8089/servicesNS/kmothenkani/stubhub_dashboard/saved/searches/SFR-PDF%20APIs/acl -d owner=tkwaller -d sharing=user
Also tried:
./splunk search
"| rest splunk_server=local /servicesNS/-/-/saved/searches
| table eai:acl.sharing eai:acl.owner id
| rename eai:acl.owner as owner eai:acl.sharing AS sharing
| search owner=kmothekani"
Your session is invalid. Please login.
Splunk username: admin
Password:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just FYI the formatting isn't quite right here but the second search I listed here is straight from the doc you added:
http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, Splunk does not see any objects owned by the users. In that case, REST call cannot help.
All you can do is to delete the user directory one by one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am accepting this answer because it IS the correct answer........BUT its not a good resolution, not that I expect anyone to fix it. How is it that Splunk cannot see these users via the GUI but it still sees these users artifacts in their directories.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, the user_context is original owner (no longer a valid user), the error that you see is for original user OR newOwner ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes the <user_context> is the old user, the error is for the OLD user, as that user no longer exists but DOES exist in the FS.
The user doesn't exist via splunk web nor does the savedsearch but I CAN find it in SPLUNKHOME/etc/apps/users/<user_context>/
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
