Resolve orphaned searches, reports, and alerts

When a user leaves a department or company and their Splunk account is deactivated, the searches, reports, and alerts that they created remain in the system, which can result in "orphaned searches." An orphaned search is a search that is configured to run on a schedule (such as a scheduled report or an alert) but no longer has a valid owner.

The search scheduler cannot run orphaned scheduled searches. The scheduler does not know how to correctly run a search on behalf of a nonexistent owner. It no longer knows the roles that the owner has and therefore does not know what configurations apply to the orphaned search, nor what search quotas the owner is limited by.

Orphaned searches also present a security concern: If a user leaves your company and you delete their Splunk account, any searches that are being run on behalf of that user are now orphaned and must be detected and stopped.

How to resolve an orphaned search

By default, when Splunk software detects that a scheduled search, report or alert is orphaned, it gives you a notification that includes the name of the orphaned search.

The action you take to resolve an orphaned search depends on what you want to do with the search going forward.

• If you want the search to continue running on its schedule as a scheduled report or alert, you can re-enable its owner or give it a new owner. This method requires filesystem access.
• If you want the search to run again, but not on a schedule, you can remove its schedule (only applies to orphaned searches that have been shared to other users).
• If you do not want the search to run again under any circumstances, you can disable it entirely.

Re-enable an orphaned search

Re-enable an orphaned search if you want the search to continue running on its schedule. You have two options. You can make the invalid search owner valid again, or you can reassign ownership of the search to a user who is currently valid.

Make the invalid search owner valid again

Add the invalid search owner as a new user of your Splunk deployment. See About users and roles in the Admin Manual.

Reassign an orphaned search to a valid owner

The cleanest way to reassign an orphaned search to a valid owner is to make a REST API call. Use this method if your Splunk deployment uses search head clustering.

Here is an example of the REST API call that you might use to reassign an orphaned search to a new owner.

curl https://<host>:<mgmt_port>/servicesNS/nobody/<app_context>/saved/searches/<entity_name>/acl -d add_orphan_field=yes -d count=0 -d owner=<desired_owner> -d sharing=<sharing_level>

This REST API call takes the app context into account, and requires that the desired search owner uses the same "sharing level" as the orphaned search. In other words, if the orphaned search is shared at the app level, you would use sharing=app in the REST API call. Valid values for sharing are user, app, and global.

Alternatively, you can reassign an orphaned search by manually making changes to local.meta and savesearches.conf files. Which files you change depends on whether the orphaned search was shared with other users.

The below methods have the following restrictions and caveats:

• They are not recommended if your Splunk deployment uses search head clustering.
• They require that you have filesystem access to your Splunk deployment (Splunk Cloud users do not have this).
• They require you to restart your Splunk deployment.

Reassign a shared, orphaned search by editing .meta files

When a user shares a search with other users at the app or global level, it is shared in the context of an app.

Modify the .meta file that keeps the ownership information for the orphaned search. In most cases this will be a local.meta file, but orphaned searches can have their ownership information in default.meta files as well.

1. In the filesystem of your Splunk deployment, open etc/apps/<name_of_app>/metadata/local.meta.
2. Find the savesearches stanza for the orphaned search and replace the owner value with the name of a valid search owner.
3. Restart your Splunk deployment to make the changes take effect.

For example, say you have a scheduled search named Important Report that was shared to users of the Search app by its original owner, John Vincent. Vincent left your organization and now Important Report is showing up as an orphaned search. You go into etc/apps/Search/metadata/local.meta and see this:

[savedsearches/important%20report]
access = read : [ * ], write : [ admin ]
export = none
owner = jvincent
version = 6.4.0
modtime = 1461111154.871686000

You have a valid user who can own this search. Her name is Mary Bee. Change the Important Report stanza to this:

[savedsearches/important%20report]
access = read : [ * ], write : [ admin ]
export = none
owner = mbee
version = 6.4.0
modtime = 1461111154.871686000

Save that change and restart your system. Mary Bee now owns Important Report.

Reassign an unshared, orphaned search by editing the savedsearches.conf file

If the orphaned report has not been shared with other users, it is defined entirely within the savedsearches.conf file at the user level.

Cut the stanza for the search out of the savedsearches.conf file for the invalid user and paste it into the savedsearches.conf file for a valid user.

1. In the filesystem of your Splunk deployment, open the the savedsearches.conf file for an invalid user at etc/users/<name_of_invalid_user>/search/local/savedsearches.conf.
2. Locate the stanza for the orphaned scheduled search and cut it out.
3. Save your changes to the file and close it.
4. Open the the savedsearches.conf file for a valid user at etc/users/<name_of_valid_user>/search/local/savedsearches.conf.
5. Copy the search stanza that you just cut to the savedsearches.conf file for the valid user.
6. Save your changes to the file and close it.
7. Restart your Splunk deployment so the changes take effect.

Remove the schedule of an orphaned search

You can remove the schedule of an orphaned search by removing all schedule information from its definition in Settings > Searches, reports, and alerts. When you do this the search still exists. If it has been shared with other users of an app, users of that app can run it. This can be important if it is used in a dashboard, for example. However, you may need to ensure that other users do not schedule it again. You can do this by limiting the number of roles that have edit access to the search.

Disable an orphaned search

If you do not want an orphaned search to run again under any circumstances, disable it through the listing page at Settings > Searches, reports, and alerts. When you disable the search, it is unavailable for any purpose save further administrative actions (such as to re-enable it).

Delete an orphaned search

If your permissions allow you to do so, you can delete an orphaned scheduled search through the Reports listing page if you do not need it to run now or again in the future.

Turn off notifications of orphaned searches

By default, Splunk software notifies you about orphaned searches. If you would rather not receive these notifications, open limits.conf, look for the [system_checks] stanza, and set orphan_searches to disabled.