Is there an easy way to change the owner of an ale...

prakashbhanu407 · ‎04-12-2016

My alerts are not getting triggered, even after the Start time in Cron Expression met the current time.
I believe it is some sort of access issue...but not exactly sure what all access I should give (I gave Read access to "Everyone" and Write Access to "Admin" )

I would like to know if there is an easy way to change the owner of the Alerts in Splunk Web as we don't have access to conf files right now.

somesoni2 · ‎04-12-2016

Changing the owner of the any Splunk artifact is not supported from Splunk Web. Your options would be (since you don't have access to Conf files) to use the REST endpoints.

curl -k -u admin:changeme  -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/User/Apps/saved/searches/AlertSearchName/acl

Update
where,
admin - admin user name
changement - admin password
foo - username of the new owner
localhost - if running from the search head itself, leave it as localhost OR give the fqdn of the search head server
User - current owner of the alert search
Apps - name of the app where this alert search is saved (app context)
AlertSearchName - name of your alert search. If it contains special character/spaces, use the url encoded name

prakashbhanu407 · ‎04-12-2016

I am not familiar to this...
where can I get the EndpointURL for my Alert ?
and where should I run this command ?

Is there an easy way to change the owner of an alert in Splunk Web?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases