Community:How to change owner of savedsearches using REST API

From Splunk Wiki

Jump to: navigation, search

As a Splunk admin, you may need to change owner of saved searches when a user left a company, and not available anymore.

Probably there are three ways to achieve this. 

   1. Manually changing owner through Splunkweb GUI
   2. Editing local.meta file
   3. Using REST to update/overwrite ownership

In this topic, we show example of REST.


Use Case

I'm using SHC(Search Head Clustering). Splunk version is v6.3.4. A user, user01, left a company and we would like to move the user's saved search owner to an existing user, user02. The user01 created a lot of savedsearches.

Solution using REST

Well, using python SDK and creating a robust security and error checking, recording logs will be better. But, I would like to post here a quick solution.

Three steps
Back up current configuration, and test this in your test environment several times to make sure you don't run into problem. (In my case, I screwed up with typo and deleted some savedsearches. Lucky me, it was just test env.)
1. Find all Saved searches with permission(private, app, or global) owned by user01

   | rest /servicesNS/-/-/saved/searches

2. Use REST call to change owner

   /servicesNS/user01/search/saved/searches/$_SAVED_SEARCH_NAME_$/acl -d owner=user02 -d sharing=$_SHARING_VALUE_$

3. Verify there is no saved searches owned by user01, and all of them are owned by user02

   | rest /servicesNS/-/-/saved/searches

4. Reload the scheduler. 

  ./splunk _internal call /servicesNS/user02/search/saved/searches/_reload

Example: Solution using REST

1. Find all Saved searches with permission(private, app, or global) owned by user01

./bin/splunk search \
                "| rest splunk_server=local /servicesNS/-/-/saved/searches \
                    | table eai:acl.sharing eai:acl.owner id \
                    | rename eai:acl.owner as owner, eai:acl.sharing AS sharing  \
                    | search owner=user01"

sharing  owner                                               id
------- -------- ------------------------------------------------------------------------------------------
global  user01 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2001
app     user01 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2002
global  user01 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2003
user    user01 https://10.140.48.158:55581/servicesNS/user01/splunk_for_vmware/saved/searches/Test%2010
user    user01 https://10.140.48.158:55581/servicesNS/user01/splunk_for_vmware/saved/searches/Test%2011
user    user01 https://10.140.48.158:55581/servicesNS/user01/splunk_for_vmware/saved/searches/Test%2012


2. Use REST call to change owner

REST call for the 2nd step

# Changing from user01 to user02
# Be careful ! REST does not have a good error checking. You might mess up the result by mistake.
# Note: if sharing is not specified, you're trying to make it as global. But, if the object is private, you cannot change permission to global implicitly, and get error. 
# Note: This will return REST call return. I'm not showing the returns here

ORIG_OWNER=user01;\
NEW_OWNER=user02;\
for i  in `./bin/splunk search  "| rest /servicesNS/-/-/saved/searches  
            | table eai:acl.sharing eai:acl.owner id  
            | rename eai:acl.owner as owner, eai:acl.sharing AS sharing   
            | search owner=\"$ORIG_OWNER\"  
            | eval I = sharing + \"::\" + id 
            | fields I " 
            | grep http`; 
do echo $i; 
SHARING=$( echo $i | grep -oP "^.*(?=::)" ) ; 
URL=$(echo $i | grep -oP "(?<=::).*$" ) ; 
curl -k -u admin:changeme $URL/acl -d owner=$NEW_OWNER -d sharing=$SHARING ; 
done

3. Verify there is no saved searches owned by user01, and all of them are owned by user02

./bin/splunk search \
                "| rest splunk_server=local /servicesNS/-/-/saved/searches \
                    | table eai:acl.sharing eai:acl.owner id \
                    | rename eai:acl.owner as owner, eai:acl.sharing AS sharing  \
                    | search owner=user02"

sharing  owner                                               id
------- -------- ------------------------------------------------------------------------------------------
global  user02 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2001
app     user02 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2002
global  user02 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2003
user    user02 https://10.140.48.158:55581/servicesNS/user02/splunk_for_vmware/saved/searches/Test%2010
user    user02 https://10.140.48.158:55581/servicesNS/user02/splunk_for_vmware/saved/searches/Test%2011
user    user02 https://10.140.48.158:55581/servicesNS/user02/splunk_for_vmware/saved/searches/Test%2012
Retrieved from "https://wiki.splunk.com/index.php?title=Community:How_to_change_owner_of_savedsearches_using_REST_API&oldid=58128"
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk