Deployment Architecture

How do I change the owner of a saved search or view in a search head cluster environment?

rphillips_splk
Splunk Employee
Splunk Employee

I need to change the owner of a search or dashboard view. Using the deployer merges changes from local.meta back to default.meta on the SHC members when the bundle get distributed and the original local.meta on the SHC members still overrides the default.meta configuration. I also want the configuration to get replicated across all search head cluster members

1 Solution

rphillips_splk
Splunk Employee
Splunk Employee

This change can be made using the REST endpoint and will get replicated across all members in the cluster

The example below changes the owner of the search called search_test1 to owner foo

run this from cli on one of the cluster members with the name of the search you need to change:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/$user$/$app$/saved/searches/$saved_search_name$/acl 

example:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/saved/searches/search_test1/acl 

This example changes the owner of the view called test_dashboard1 to owner = foo

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/$user$/$app$/data/ui/views/$viewname$/acl 

example:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/rob/data/ui/views/test_dahboard1/acl 

View solution in original post

splunkreal
Motivator

Hello,

I've a lot of reports and dashboards which require owner change (my login changed).

How to do it globally for all files in a search head cluster? Any shell script somewhere? Should we run it on the SHC (captain)?

Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

This change can be made using the REST endpoint and will get replicated across all members in the cluster

The example below changes the owner of the search called search_test1 to owner foo

run this from cli on one of the cluster members with the name of the search you need to change:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/$user$/$app$/saved/searches/$saved_search_name$/acl 

example:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/search/saved/searches/search_test1/acl 

This example changes the owner of the view called test_dashboard1 to owner = foo

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/$user$/$app$/data/ui/views/$viewname$/acl 

example:

curl -k -u admin:changeme -d 'owner=foo' -d 'sharing=app' https://localhost:8089/servicesNS/admin/rob/data/ui/views/test_dahboard1/acl 

Masa
Splunk Employee
Splunk Employee

Added an example for bulk change for savedsearches using this REST call

http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API

0 Karma

hemendralodhi
Contributor

Hello,

When changing ownership of views getting below error. Tried with Get option too, same result

Method Not Allowed

Specified method is not allowed on this resource.

any advise on changing views ownership?

Thanks

0 Karma

vsingla1
Communicator

@hemendralodhi I got it working for changing ownership of a view through rest API. did you get it working for yours? if not, what is the syntax you are using? I am sure there is a typo in the URL that you doing the curl with..

0 Karma

RMartinezDTV
Path Finder

I've seen that error message too many times myself! Here's what I've learned trying to delete/rename knowledge objects:

  • Ensure you are hitting the /acl endpoint
  • Try both Splunk CLI and REST API since they have different messages
  • If REST API fails (e.g. Method Not Allowed), ensure the search/dashboard isn't coming from a deployment server or 'default' folder.
  • That means check savedsearches.conf (or .xml for dashboards), but also check the .meta files for references.

Clearing all these references (.conf, .xml, .meta) should allow you to perform the operation you like. I'd suggest hitting the API at https://:8089/ in the browser because it's easier to browse and learn what the methods are for a given endpoint.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...