Deployment Architecture

how can a saved search owner be changed

vikram_m
Path Finder

I have created certain searches which shows admin as owner.

I want to assign it to another user as the report owner. Can we change owner name of the saved search?

morethanyell
Builder

To do this via Web UI, got Settings > All Configurations > Reassign Knowledge Objects (button) > (filter by Orphaned) Reassign

cumbers
Explorer
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@vikram_m - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

An alternative option using REST API endpoint. See here
https://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API

Works well with SHC as well. (REST API changes gets replicated across all SHC members)

richgalloway
SplunkTrust
SplunkTrust

Changing the owner is simple, but requires CLI access. Edit $SPLUNK_HOME/etc/apps/myapp/metadata/local.meta. Locate the stanza name matching the saved search name (spaces will be replaced by '%20') then change the "owner = " attribute to the desired value. You'll then need to refresh Splunk (http://localhost:8000/debug/refresh).

---
If this reply helps you, Karma would be appreciated.

vikram_m
Path Finder

Hello Rich,

Thanks for your answer, but I cannot find any search which I created as admin.

Actually I created 23 searches and alerts which reflects admin as owner I want to change the owner name to xyz but I cannot find a single search in the app/metadata/local.meta file, is there any other place I need to search into.

I checked that I am searching in correct file so please suggest.

Thanks.
Vikram.

0 Karma

sassens1
Path Finder

Hi,

you need to know within which app you created your searches, but here are mine under the search app:

[root@LOG01 metadata]# pwd
**/opt/splunk/etc/apps/search/metadata**
[root@LOG01 metadata]# more local.meta 
[indexes/summary_customer1]
owner = admin
version = 6.4.3
modtime = 1474452144.239659000

[savedsearches/gsoc_vip_toomanyemail_bysender]
owner = wx1234
version = 6.5.1
modtime = 1484216408.896170000

../..

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Vikram,

As sassens1 suggests, searches can be stored in many places and not always where you expect. It depends on what app you were last using before creating the search. If you don't find your searches in the file then you may be looking in the wrong file. 😉

Try the search metadata file suggested by sassens1. If that doesn't work do a find $SPLUNK_HOME/etc/apps -name *.meta -print0 | xargs -r0 grep mysearchname.

---
If this reply helps you, Karma would be appreciated.
0 Karma

brandonrobinson
Engager

You can change the owner of the saved search in the metadata file ($SPLUNK_HOME/etc/apps/search/metadata/local.metadata).

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...