I've had a few users leave the company now that have had saved searches. Removing the $splunk_home/etc/users/
If I search for files that contain the login name, I find the following example entry for "tuser"q:
etc/apps/search/local/viewstates.conf:
[viewstates/flashtimeline%3Agu5s5mv8]
owner = tuser
version = 4.2.3
export = system
Is it safe to remove these entries? Is there a better way to remove terminated users?
Make sure the users not in any meta files either. If you're on a linux machine I'd do the following:
grep -r "username" $SPLUNK_HOME
That'll find all instances of the user name in any configuration files.
Removing those entries in viewstates.conf doesn't resolve the error either.