Problems due to Orphaned KO :
- Reports/Alerts/Lookups without valid owners can cause problems like broken dashboards and embedded searches, data collection gaps in summary indexes, and more.
- Search scheduler cannot run a scheduled KO on behalf of a nonexistent owner.
Orphaned Scheduled Search Notifications :
- Splunk UI displays notification message once it find an orphan search.
How to Reassign Orphaned KO :
- we can only reassign objects that have been shared to the app or global levels.
- Admin role is required to Reassign the ownership from UI.
- Back-end changes will require file system access.
Reassigning the owner can be done from UI and back end.
Steps from front-end (UI) :
- Solution 1: Recreate the temp invalid owner
- The easiest solution for this is to temporarily recreate the invalid owner account, reassign the knowledge object, and then deactivate the invalid owner account.
- Solution 2: Steps in User Interface (UI) (suitable for shared in App/Global)
- Select Settings —>All configurations.
- Click Reassign Knowledge Objects.
- Click Orphaned to filter out non-orphaned objects from the list.
- As mentioned earlier the KO can be either Reports/Alerts/Lookups, so pick a valid .conf file and transfer ownership of orphaned knowledge objects by replacing the valid owners name, for a respective savedsearch.
A feedback would be greatly appreciated. Please ask you questions on comments section. Happy Splunking 😉