Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Saved Searches, Summary Indexes, etc - After a user leaves the company

Ricapar
Communicator
‎02-19-2014 12:04 PM

We're starting to make use of summary indexes as a way to keep statistics and metrics for an extended period of time.

However, I got a question from a user that I wasn't able to answer directly. What happens to summary indexing searches when a user leaves the company (gets deleted)?

We're using LDAP to populate users and roles. When a user leaves the company, their ID is removed from all AD groups and then deleted. This is an automated internal process that happens pretty quickly.

If a user has saved searches that are being used to generate summary indexes, will those searches suddenly stop working? Do all the objects owned by the user get deleted when the account stops coming in from LDAP?

Any best practices to avoid issues that could arise from this?

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-19-2014 12:30 PM

When an account gets deleted from the AD, Splunk will retain its configuration objects - summary indexing will continue, so will scheduled searches powering dashboards, and so on.

You will however get warnings along the lines of "can't find user 'deleted employee' through my LDAP connection" in the _internal index. To avoid that, go to etc/apps/appname/metadata and replace that username with someone else, transferring ownership and stopping the warnings.
You can of course avoid this entirely by having special non-AD users that are to be used when something scheduled goes "live" / into a production state, but that's probably not practical in the real world.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...