Resolve orphaned searches, reports, and alerts
When a user leaves a department or company and their Splunk account is deactivated, the searches, reports, and alerts that they created remain in the system, which can result in "orphaned searches." An orphaned search is a search that is configured to run on a schedule (such as a scheduled report or an alert) but no longer has a valid owner.
The search scheduler cannot run orphaned scheduled searches. The scheduler does not know how to correctly run a search on behalf of a nonexistent owner. It no longer knows the roles that the owner has and therefore does not know what configurations apply to the orphaned search, nor what search quotas the owner is limited by.
Orphaned searches also present a security concern: If a user leaves your company and you delete their Splunk account, any searches that are being run on behalf of that user are now orphaned and must be detected and stopped.
How to resolve an orphaned search
By default, when Splunk software detects that a scheduled search, report or alert is orphaned, it gives you a notification that includes the name of the orphaned search.
The action you take to resolve an orphaned search depends on what you want to do with the search going forward.
- If you want the search to continue running on its schedule as a scheduled report or alert, you can re-enable its owner or give it a new owner. This method requires filesystem access.
- If you want the search to run again, but not on a schedule, you can remove its schedule (only applies to orphaned searches that have been shared to other users).
- If you do not want the search to run again under any circumstances, you can disable it entirely.
Re-enable an orphaned search
Re-enable an orphaned search if you want the search to continue running on its schedule. You have two options. You can make the invalid search owner valid again, or you can reassign ownership of the search to a user who is currently valid.
Make the invalid search owner valid again
Add the invalid search owner as a new user of your Splunk deployment. See About users and roles in the Admin Manual.
Reassign an orphaned search to a valid owner
The cleanest way to reassign an orphaned search to a valid owner is to make a REST API call. Use this method if your Splunk deployment uses search head clustering.
Here is an example of the REST API call that you might use to reassign an orphaned search to a new owner.
curl https://<host>:<mgmt_port>/servicesNS/nobody/<app_context>/saved/searches/<entity_name>/acl -d add_orphan_field=yes -d count=0 -d owner=<desired_owner> -d sharing=<sharing_level>
This REST API call takes the app context into account, and requires that the desired search owner uses the same "sharing level" as the orphaned search. In other words, if the orphaned search is shared at the app level, you would use
sharing=app in the REST API call. Valid values for
Alternatively, you can reassign an orphaned search by manually making changes to
savesearches.conf files. Which files you change depends on whether the orphaned search was shared with other users.
The below methods have the following restrictions and caveats:
- They are not recommended if your Splunk deployment uses search head clustering.
- They require that you have filesystem access to your Splunk deployment (Splunk Cloud users do not have this).
- They require you to restart your Splunk deployment.
Reassign a shared, orphaned search by editing
When a user shares a search with other users at the app or global level, it is shared in the context of an app.
Modify the .meta file that keeps the ownership information for the orphaned search. In most cases this will be a
local.meta file, but orphaned searches can have their ownership information in
default.meta files as well.
- In the filesystem of your Splunk deployment, open
- Find the
savesearchesstanza for the orphaned search and replace the
ownervalue with the name of a valid search owner.
- Restart your Splunk deployment to make the changes take effect.
For example, say you have a scheduled search named Important Report that was shared to users of the Search app by its original owner, John Vincent. Vincent left your organization and now Important Report is showing up as an orphaned search. You go into
etc/apps/Search/metadata/local.meta and see this:
[savedsearches/important%20report] access = read : [ * ], write : [ admin ] export = none owner = jvincent version = 6.4.0 modtime = 1461111154.871686000
You have a valid user who can own this search. Her name is Mary Bee. Change the Important Report stanza to this:
[savedsearches/important%20report] access = read : [ * ], write : [ admin ] export = none owner = mbee version = 6.4.0 modtime = 1461111154.871686000
Save that change and restart your system. Mary Bee now owns Important Report.
Reassign an unshared, orphaned search by editing the
If the orphaned report has not been shared with other users, it is defined entirely within the
savedsearches.conf file at the user level.
Cut the stanza for the search out of the
savedsearches.conf file for the invalid user and paste it into the
savedsearches.conf file for a valid user.
- In the filesystem of your Splunk deployment, open the the
savedsearches.conffile for an invalid user at
- Locate the stanza for the orphaned scheduled search and cut it out.
- Save your changes to the file and close it.
- Open the the
savedsearches.conffile for a valid user at
- Copy the search stanza that you just cut to the
savedsearches.conffile for the valid user.
- Save your changes to the file and close it.
- Restart your Splunk deployment so the changes take effect.
Remove the schedule of an orphaned search
You can remove the schedule of an orphaned search by removing all schedule information from its definition in Settings > Searches, reports, and alerts. When you do this the search still exists. If it has been shared with other users of an app, users of that app can run it. This can be important if it is used in a dashboard, for example. However, you may need to ensure that other users do not schedule it again. You can do this by limiting the number of roles that have edit access to the search.
Disable an orphaned search
If you do not want an orphaned search to run again under any circumstances, disable it through the listing page at Settings > Searches, reports, and alerts. When you disable the search, it is unavailable for any purpose save further administrative actions (such as to re-enable it).
Delete an orphaned search
If your permissions allow you to do so, you can delete an orphaned scheduled search through the Reports listing page if you do not need it to run now or again in the future.
Turn off notifications of orphaned searches
By default, Splunk software notifies you about orphaned searches. If you would rather not receive these notifications, open
limits.conf, look for the
[system_checks] stanza, and set
Manage knowledge object permissions
Disable or delete knowledge objects
This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7