Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I list all views owned by a particular user?

twinspop
Influencer
‎12-21-2016 07:29 AM

I've tried the /servicesNS/userid/-/data/ui/views endpoint but maybe I'm not using it correctly. I have a known view owned by the user that does not show anywhere in the output from calling that endpoint.

curl -sku admin:password https://127.0.0.1:8089/servicesNS/userid/his_app/data/ui/views | grep known_view_name

The view I searched for is in the app, is shared at app level. If I run:

curl -sku admin:password https://127.0.0.1:8089/servicesNS/userid/his_app/data/ui/views/known_view_name

I get results. What am I missing?

I want a list of the view names (not the titles) for a particular user.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎12-21-2016 10:50 AM

How about a splunk search with "| rest" (Please replace $username$ with a proper user name)

| rest splunk_server=local /servicesNS/-/-/data/ui/views  
   | table eai:acl.sharing eai:acl.owner id 
   | rename eai:acl.owner as owner, eai:acl.sharing AS sharing  | search owner=$username$

View solution in original post

Reply
Solved! Jump to solution
Solution

Masa
Splunk Employee
Splunk Employee
‎12-21-2016 10:50 AM

How about a splunk search with "| rest" (Please replace $username$ with a proper user name)

| rest splunk_server=local /servicesNS/-/-/data/ui/views  
   | table eai:acl.sharing eai:acl.owner id 
   | rename eai:acl.owner as owner, eai:acl.sharing AS sharing  | search owner=$username$
Reply
Solved! Jump to solution

twinspop
Influencer
‎12-21-2016 11:21 AM

Yeah, that would work. Was hoping for a single script solution, but I can copy-pasta.

0 Karma
Reply
Solved! Jump to solution

wrangler2x
Motivator
‎06-09-2017 11:14 AM

Add title immediately after table in the second line of the search to get the search name.

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎12-21-2016 12:39 PM

Actually, throwing this on the command line works really well. I can feed it into a for loop. The end result being a batch ownership change script.

0 Karma
Reply
Solved! Jump to solution

twinspop
Influencer
‎12-21-2016 07:41 AM

Aha. The user had too many views to fit in the default count returned. Final product, including new '?count=0' specifier.

curl -sku admin:password 'https://127.0.0.1:8089/servicesNS/user/app/data/ui/views?count=0' | grep '<id>' | grep app/data/ui/views/ | sed -e 's^.*/views/^^' | sed -e 's^</id>^^'

EDIT: It's imperfect. I see views owned by "nobody" in the returned list. Still trying to find the magix to return just the views owned by user. -sigh-

0 Karma
Reply
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...