how can a saved search owner be changed

vikram_m · ‎02-15-2017

I have created certain searches which shows admin as owner.

I want to assign it to another user as the report owner. Can we change owner name of the saved search?

morethanyell · ‎07-21-2019

To do this via Web UI, got Settings > All Configurations > Reassign Knowledge Objects (button) > (filter by Orphaned) Reassign

cumbers · ‎07-03-2018

Use this: http://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Resolveorphanedsearches

cumbers · ‎07-03-2018

As of Splunk 7, you can use: http://docs.splunk.com/Documentation/Splunk/7.1.1/Knowledge/Resolveorphanedsearches

aaraneta_splunk · ‎03-19-2017

@vikram_m - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

somesoni2 · ‎02-15-2017

An alternative option using REST API endpoint. See here
https://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API

Works well with SHC as well. (REST API changes gets replicated across all SHC members)

richgalloway · ‎02-15-2017

Changing the owner is simple, but requires CLI access. Edit $SPLUNK_HOME/etc/apps/myapp/metadata/local.meta. Locate the stanza name matching the saved search name (spaces will be replaced by '%20') then change the "owner = " attribute to the desired value. You'll then need to refresh Splunk (http://localhost:8000/debug/refresh).

---
If this reply helps you, Karma would be appreciated.

vikram_m · ‎02-16-2017

Hello Rich,

Thanks for your answer, but I cannot find any search which I created as admin.

Actually I created 23 searches and alerts which reflects admin as owner I want to change the owner name to xyz but I cannot find a single search in the app/metadata/local.meta file, is there any other place I need to search into.

I checked that I am searching in correct file so please suggest.

Thanks.
Vikram.

sassens1 · ‎02-16-2017

Hi,

you need to know within which app you created your searches, but here are mine under the search app:

[root@LOG01 metadata]# pwd
**/opt/splunk/etc/apps/search/metadata**
[root@LOG01 metadata]# more local.meta 
[indexes/summary_customer1]
owner = admin
version = 6.4.3
modtime = 1474452144.239659000

[savedsearches/gsoc_vip_toomanyemail_bysender]
owner = wx1234
version = 6.5.1
modtime = 1484216408.896170000

../..

richgalloway · ‎02-16-2017

Vikram,

As sassens1 suggests, searches can be stored in many places and not always where you expect. It depends on what app you were last using before creating the search. If you don't find your searches in the file then you may be looking in the wrong file. 😉

Try the search metadata file suggested by sassens1. If that doesn't work do a find $SPLUNK_HOME/etc/apps -name *.meta -print0 | xargs -r0 grep mysearchname.

---
If this reply helps you, Karma would be appreciated.

brandonrobinson · ‎02-15-2017

You can change the owner of the saved search in the metadata file ($SPLUNK_HOME/etc/apps/search/metadata/local.metadata).

how can a saved search owner be changed

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

how can a saved search owner be changed

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console