Deployment Architecture

How do I change the owner of a saved search or view in a search head cluster environment?

Splunk Employee
Splunk Employee

I need to change the owner of a search or dashboard view. Using the deployer merges changes from local.meta back to default.meta on the SHC members when the bundle get distributed and the original local.meta on the SHC members still overrides the default.meta configuration. I also want the configuration to get replicated across all search head cluster members

1 Solution

Splunk Employee
Splunk Employee

This change can be made using the REST endpoint and will get replicated across all members in the cluster

The example below changes the owner of the search called search_test1 to owner foo

run this from cli on one of the cluster members with the name of the search you need to change:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/$user$/$app$/saved/searches/$saved_search_name$/acl 

example:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/saved/searches/search_test1/acl 

This example changes the owner of the view called test_dashboard1 to owner = foo

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/$user$/$app$/data/ui/views/$viewname$/acl 

example:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/rob/data/ui/views/test_dahboard1/acl 

View solution in original post

Builder

Hello,

I've a lot of reports and dashboards which require owner change (my login changed).

How to do it globally for all files in a search head cluster? Any shell script somewhere? Should we run it on the SHC (captain)?

Thanks.

0 Karma

Splunk Employee
Splunk Employee

This change can be made using the REST endpoint and will get replicated across all members in the cluster

The example below changes the owner of the search called search_test1 to owner foo

run this from cli on one of the cluster members with the name of the search you need to change:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/$user$/$app$/saved/searches/$saved_search_name$/acl 

example:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/saved/searches/search_test1/acl 

This example changes the owner of the view called test_dashboard1 to owner = foo

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/$user$/$app$/data/ui/views/$viewname$/acl 

example:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/rob/data/ui/views/test_dahboard1/acl 

View solution in original post

Splunk Employee
Splunk Employee

Added an example for bulk change for savedsearches using this REST call

http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API

0 Karma

Contributor

Hello,

When changing ownership of views getting below error. Tried with Get option too, same result

Method Not Allowed

Specified method is not allowed on this resource.

any advise on changing views ownership?

Thanks

0 Karma

Communicator

@hemendralodhi I got it working for changing ownership of a view through rest API. did you get it working for yours? if not, what is the syntax you are using? I am sure there is a typo in the URL that you doing the curl with..

0 Karma

Path Finder

I've seen that error message too many times myself! Here's what I've learned trying to delete/rename knowledge objects:

  • Ensure you are hitting the /acl endpoint
  • Try both Splunk CLI and REST API since they have different messages
  • If REST API fails (e.g. Method Not Allowed), ensure the search/dashboard isn't coming from a deployment server or 'default' folder.
  • That means check savedsearches.conf (or .xml for dashboards), but also check the .meta files for references.

Clearing all these references (.conf, .xml, .meta) should allow you to perform the operation you like. I'd suggest hitting the API at https://:8089/ in the browser because it's easier to browse and learn what the methods are for a given endpoint.

0 Karma