Solved: How to remove the orphan scheduled search from spl...

Hemnaath · ‎07-24-2017

Hi All, We could see some six orphan scheduled search are being populated in the Deployment server -->messages when checked the details of the orphan search, could notice that it is assigned to user who is no longer exist in our organisation and also we could locate from which saved searches these orphan search are getting triggered from Deployment server.

Path where these scheduled search are configured.

/opt/splunk/etc/apps/sos/local/savedsearches.conf
/opt/splunk/etc/apps/search/local/savedsearches.conf

By editing this files by applying # symbol on the scheduled searches and restarting the splunk services, so by disabling this files, will it stop the message from being populated in Deployment server.

abhijit_mhatre · ‎07-24-2017

Hi Hemnaath,

The saved searches which are present in Deployment server would be present on the Searchhead. You can reassign the orphaned searches from Searchhead to any user. Go to Searchhead--->Settings--->All Configurations--->Reassign Knowledge Objects

Select the searches which are orphaned & reassign them to any user.

Let me know if this helps.

Thanks,
Abhijit Mhatre

View solution in original post

esalesapns2 · ‎04-24-2019

There's a document that describes how to recover from this:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Resolveorphanedsearches

However, I could neither "Temporarily recreate the invalid owner" (we use LDAP), nor "Perform a knowledge object stanza copy and paste operation between two .conf files" (the search is on a SHC). No guidance exists for this situation. I can remove the files from the SHC, but other documentation says "changes made to configuration files on SHCs will not be replicated". To remove them, I edited all my searchhead $SPLUNK_HOME/etc/users//.../savedsearches.conf files directly on each member of the cluster to change "enableSched" to "0", then initiated a rolling-restart of my SHC. This worked for me.

abhijit_mhatre · ‎07-24-2017

Hi Hemnaath,

The saved searches which are present in Deployment server would be present on the Searchhead. You can reassign the orphaned searches from Searchhead to any user. Go to Searchhead--->Settings--->All Configurations--->Reassign Knowledge Objects

Select the searches which are orphaned & reassign them to any user.

Let me know if this helps.

Thanks,
Abhijit Mhatre

bohanlon_splunk · ‎03-04-2019

I downvoted this post because searchhead--->settings--->all configurations--->reassign knowledge objects are not real/valid options.

gwalford · ‎03-11-2019

Reassign Knowledge Objects exists in newer versions of Splunk - 7.X and up I believe.

Hemnaath · ‎07-24-2017

Hi Abhijit, I have checked on all the three search head cluster in order to find the orphaned searches but no luck, I could not see any of the 6 scheduled searches that are popping out in Deployment manager.

More over messages are popping out only in the deployment server --> messages and when checked -->settings-->Knowledge objects -->All configuration -->Reassign Knowledge objects --> Orphaned --> I could see some other orphaned searches name and they are different from the scheduled searches which are getting popped out in messages.

Kindly advise me how to fix this issue.

thanks in advance.

abhijit_mhatre · ‎07-25-2017

You can go & check Orphaned Scheduled Searches, Reports, and Alerts dashboard on the deployment server under Dashboards tab.

There you can check the Orphaned searches. The orphaned searches error messages would have the same name of the searches which have become orphaned.

Please check & let me know.

Hemnaath · ‎07-25-2017

Hi Abhijit,
Yes I have checked in Deployment server --Splunk -->Dashboard-->Orphaned searches and found the same 5 scheduled searches.

admin_idx_daily_sum
admin_idx_violations
admin_summary_index_space_by_indexer
admin_summary_of_index_by_s_st_h_pool
admin_summary_user_searches

The above mentioned scheduled searches are configured in deployment server, under the locations
/opt/splunk/etc/apps/sos/local/savedsearches.conf
/opt/splunk/etc/apps/search/local/savedsearches.conf

Also I could see the user detail in the below location in deployment server.

/opt/splunk/etc/users/testuser/sos/local/savedsearches.conf
/opt/splunk/etc/users/testuser/search/local/savedsearches.conf

My question can I disable the scheduled search details from this location? By doing this will it fix the orphaned alerts from being popping out in Deployment console. Kindly guide me on this.

thanks in advance.

abhijit_mhatre · ‎07-25-2017

Hi Hemnaath,

You can disable these orphaned searches if they are no longer required. If they are required you can clone them or assign it to any user.

Hemnaath · ‎07-25-2017

thanks Abhijit, let me disable the savedsearches from the below location permanently.

User details:
/opt/splunk/etc/users/testuser/sos/local/savedsearches.conf
/opt/splunk/etc/users/testuser/search/local/savedsearches.conf

Scheduled savedsearches detail:

/opt/splunk/etc/apps/sos/local/savedsearches.conf
/opt/splunk/etc/apps/search/local/savedsearches.conf

Hemnaath · ‎07-26-2017

thanks Abhijit it worked.

How to remove the orphan scheduled search from splunk environment ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life