Is there an easy way to change the owner of an alert in Splunk Web?

New Member

My alerts are not getting triggered, even after the Start time in Cron Expression met the current time.
I believe it is some sort of access issue...but not exactly sure what all access I should give (I gave Read access to "Everyone" and Write Access to "Admin" )

I would like to know if there is an easy way to change the owner of the Alerts in Splunk Web as we don't have access to conf files right now.

0 Karma

Revered Legend

Changing the owner of the any Splunk artifact is not supported from Splunk Web. Your options would be (since you don't have access to Conf files) to use the REST endpoints.

curl -k -u admin:changeme  -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/User/Apps/saved/searches/AlertSearchName/acl

admin - admin user name
changement - admin password
foo - username of the new owner
localhost - if running from the search head itself, leave it as localhost OR give the fqdn of the search head server
User - current owner of the alert search
Apps - name of the app where this alert search is saved (app context)
AlertSearchName - name of your alert search. If it contains special character/spaces, use the url encoded name

0 Karma

New Member

I am not familiar to this...
where can I get the EndpointURL for my Alert ?
and where should I run this command ?

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...