@vikram_m - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.
An alternative option using REST API endpoint. See here
Works well with SHC as well. (REST API changes gets replicated across all SHC members)
Changing the owner is simple, but requires CLI access. Edit $SPLUNK_HOME/etc/apps/myapp/metadata/local.meta. Locate the stanza name matching the saved search name (spaces will be replaced by '%20') then change the "owner = " attribute to the desired value. You'll then need to refresh Splunk (http://localhost:8000/debug/refresh).
Thanks for your answer, but I cannot find any search which I created as admin.
Actually I created 23 searches and alerts which reflects admin as owner I want to change the owner name to xyz but I cannot find a single search in the app/metadata/local.meta file, is there any other place I need to search into.
I checked that I am searching in correct file so please suggest.
you need to know within which app you created your searches, but here are mine under the search app:
[root@LOG01 metadata]# pwd **/opt/splunk/etc/apps/search/metadata** [root@LOG01 metadata]# more local.meta [indexes/summary_customer1] owner = admin version = 6.4.3 modtime = 1474452144.239659000 [savedsearches/gsoc_vip_toomanyemail_bysender] owner = wx1234 version = 6.5.1 modtime = 1484216408.896170000
As sassens1 suggests, searches can be stored in many places and not always where you expect. It depends on what app you were last using before creating the search. If you don't find your searches in the file then you may be looking in the wrong file. 😉
Try the search metadata file suggested by sassens1. If that doesn't work do a
find $SPLUNK_HOME/etc/apps -name *.meta -print0 | xargs -r0 grep mysearchname.