Getting Data In

How can I list all views owned by a particular user?

twinspop
Influencer

I've tried the /servicesNS/userid/-/data/ui/views endpoint but maybe I'm not using it correctly. I have a known view owned by the user that does not show anywhere in the output from calling that endpoint.

curl -sku admin:password https://127.0.0.1:8089/servicesNS/userid/his_app/data/ui/views | grep known_view_name

The view I searched for is in the app, is shared at app level. If I run:

curl -sku admin:password https://127.0.0.1:8089/servicesNS/userid/his_app/data/ui/views/known_view_name

I get results. What am I missing?

I want a list of the view names (not the titles) for a particular user.

Thanks!

0 Karma
1 Solution

Masa
Splunk Employee
Splunk Employee

How about a splunk search with "| rest" (Please replace $username$ with a proper user name)

| rest splunk_server=local /servicesNS/-/-/data/ui/views  
   | table eai:acl.sharing eai:acl.owner id 
   | rename eai:acl.owner as owner, eai:acl.sharing AS sharing  | search owner=$username$

View solution in original post

Masa
Splunk Employee
Splunk Employee

How about a splunk search with "| rest" (Please replace $username$ with a proper user name)

| rest splunk_server=local /servicesNS/-/-/data/ui/views  
   | table eai:acl.sharing eai:acl.owner id 
   | rename eai:acl.owner as owner, eai:acl.sharing AS sharing  | search owner=$username$

twinspop
Influencer

Yeah, that would work. Was hoping for a single script solution, but I can copy-pasta.

0 Karma

wrangler2x
Motivator

Add title immediately after table in the second line of the search to get the search name.

0 Karma

twinspop
Influencer

Actually, throwing this on the command line works really well. I can feed it into a for loop. The end result being a batch ownership change script.

0 Karma

twinspop
Influencer

Aha. The user had too many views to fit in the default count returned. Final product, including new '?count=0' specifier.

curl -sku admin:password 'https://127.0.0.1:8089/servicesNS/user/app/data/ui/views?count=0' | grep '<id>' | grep app/data/ui/views/ | sed -e 's^.*/views/^^' | sed -e 's^</id>^^'

EDIT: It's imperfect. I see views owned by "nobody" in the returned list. Still trying to find the magix to return just the views owned by user. -sigh-

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...