Scheduling Inspector gives users the tools to re-assign Orphan Searches to new accounts. To start this process, go to the Orphaned Searches dashboard of the Scheduling Inspector application.
A list of Orphan Searches (if there are any) will populate under the Inventory of Orphaned Reports. Orphan Searches are when previous users create scheduled reports that are put on pause after the current owner is removed from the Splunk system. This can lead to important searches failing to run and could open up holes in security monitoring and execution.
In this report, Orphan Searches are listed with additional information such as app source, permissions, and its cron schedule.
After identifying an Orphan Search that needs updating, selecting it will populate the Orphan Search report below.
For example, after selecting ‘Bobs Important Search,’ addition details appear that can give us context on how the search was being utilized. Users can click ‘View Search’ to investigate further, or can change the Owner, Sharing settings, and App location of the Search, and select ‘Save Changes’ to officially update the Scheduled Search.
With these tools, admins can quickly identify and update Orphan Searches so they get back to populating alerts and ensuring Splunk usability.