Orphaned Knowledge Objects – If a Knowledge object owner leaves a company or if in-case his Splunk account gets deactivated, the knowledge objects goes to Orphan state.

 Problems due to Orphaned KO :

 
  1. Reports/Alerts/Lookups without valid owners can cause problems like broken dashboards and embedded searches, data collection gaps in summary indexes, and more. 
  2. Search scheduler cannot run a scheduled KO on behalf of a nonexistent owner. 

Orphaned Scheduled Search Notifications :

 
  • Splunk UI displays notification message once it find an orphan search.
 
 

How to Reassign Orphaned KO :

NOTE : 
 
  • we can only reassign objects that have been shared to the app or global levels. 
  • Admin role is required to Reassign the ownership from UI.
  • Back-end changes will require file system access.

Reassigning the owner can be done from UI and back end.

 Steps from front-end (UI) :

  • Solution 1: Recreate the temp invalid owner 
    • The easiest solution for this is to temporarily recreate the invalid owner account, reassign the knowledge object, and then deactivate the invalid owner account.
    • Solution 2: Steps in User Interface (UI) (suitable for shared in App/Global)
 
    • Select Settings >All configurations.
 
    • Click Reassign Knowledge Objects.
    • Click Orphaned to filter out non-orphaned objects from the list.

 

Steps from back-end 
  • As mentioned earlier the KO can be either Reports/Alerts/Lookups, so pick a valid .conf file and transfer ownership of orphaned knowledge objects by replacing the valid owners name, for a respective savedsearch.
 
 

A feedback would be greatly appreciated. Please ask you questions on comments section. Happy Splunking 😉