Community:How to change owner of savedsearches using REST API
From Splunk Wiki
As a Splunk admin, you may need to change owner of saved searches when a user left a company, and not available anymore.
Probably there are three ways to achieve this.
1. Manually changing owner through Splunkweb GUI 2. Editing local.meta file 3. Using REST to update/overwrite ownership
In this topic, we show example of REST.
Use Case
I'm using SHC(Search Head Clustering). Splunk version is v6.3.4. A user, user01, left a company and we would like to move the user's saved search owner to an existing user, user02. The user01 created a lot of savedsearches.
Solution using REST
Well, using python SDK and creating a robust security and error checking, recording logs will be better. But, I would like to post here a quick solution.
Three steps
Back up current configuration, and test this in your test environment several times to make sure you don't run into problem. (In my case, I screwed up with typo and deleted some savedsearches. Lucky me, it was just test env.)
1. Find all Saved searches with permission(private, app, or global) owned by user01
| rest /servicesNS/-/-/saved/searches
2. Use REST call to change owner
/servicesNS/user01/search/saved/searches/$_SAVED_SEARCH_NAME_$/acl -d owner=user02 -d sharing=$_SHARING_VALUE_$
3. Verify there is no saved searches owned by user01, and all of them are owned by user02
| rest /servicesNS/-/-/saved/searches
4. Reload the scheduler.
./splunk _internal call /servicesNS/user02/search/saved/searches/_reload
Example: Solution using REST
1. Find all Saved searches with permission(private, app, or global) owned by user01
./bin/splunk search \ "| rest splunk_server=local /servicesNS/-/-/saved/searches \ | table eai:acl.sharing eai:acl.owner id \ | rename eai:acl.owner as owner, eai:acl.sharing AS sharing \ | search owner=user01" sharing owner id ------- -------- ------------------------------------------------------------------------------------------ global user01 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2001 app user01 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2002 global user01 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2003 user user01 https://10.140.48.158:55581/servicesNS/user01/splunk_for_vmware/saved/searches/Test%2010 user user01 https://10.140.48.158:55581/servicesNS/user01/splunk_for_vmware/saved/searches/Test%2011 user user01 https://10.140.48.158:55581/servicesNS/user01/splunk_for_vmware/saved/searches/Test%2012
2. Use REST call to change owner
REST call for the 2nd step
# Changing from user01 to user02 # Be careful ! REST does not have a good error checking. You might mess up the result by mistake. # Note: if sharing is not specified, you're trying to make it as global. But, if the object is private, you cannot change permission to global implicitly, and get error. # Note: This will return REST call return. I'm not showing the returns here ORIG_OWNER=user01;\ NEW_OWNER=user02;\ for i in `./bin/splunk search "| rest /servicesNS/-/-/saved/searches | table eai:acl.sharing eai:acl.owner id | rename eai:acl.owner as owner, eai:acl.sharing AS sharing | search owner=\"$ORIG_OWNER\" | eval I = sharing + \"::\" + id | fields I " | grep http`; do echo $i; SHARING=$( echo $i | grep -oP "^.*(?=::)" ) ; URL=$(echo $i | grep -oP "(?<=::).*$" ) ; curl -k -u admin:changeme $URL/acl -d owner=$NEW_OWNER -d sharing=$SHARING ; done
3. Verify there is no saved searches owned by user01, and all of them are owned by user02
./bin/splunk search \ "| rest splunk_server=local /servicesNS/-/-/saved/searches \ | table eai:acl.sharing eai:acl.owner id \ | rename eai:acl.owner as owner, eai:acl.sharing AS sharing \ | search owner=user02" sharing owner id ------- -------- ------------------------------------------------------------------------------------------ global user02 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2001 app user02 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2002 global user02 https://10.140.48.158:55581/servicesNS/nobody/search/saved/searches/Test%2003 user user02 https://10.140.48.158:55581/servicesNS/user02/splunk_for_vmware/saved/searches/Test%2010 user user02 https://10.140.48.158:55581/servicesNS/user02/splunk_for_vmware/saved/searches/Test%2011 user user02 https://10.140.48.158:55581/servicesNS/user02/splunk_for_vmware/saved/searches/Test%2012