The learned app is creating objects owned by "nobody". This creates logged error messages about
ERROR AuthenticationManagerLDAP - Could not find user="nobody" with strategy="??????"" (????? is my own...)
I can find these with:
find ./ -name local.meta -exec grep -H 'nobody' {} \;
and they are coming from the learned app. I guess I would like to assign them to "admin" and have learned create further new sourcetypes with owner=admin. I can reassign existing ones with
find ./ -name local.meta -exec sed -i 's/owner = nobody/owner = admin/g' {} \;
How do I get future learned sourcetypes to default the owner to admin? (If defaulting the ownership to admin isn't good then please point out why and I will choose a different default user.)
Hi dleifer_mercury,
I have written a script that changes the owner. I used on the code from here and modified it for my use. This script will look for all files owned by a user from a specific objects, ex. Saved search. The type of object can be changed however manually this is to prevent errors. I would run this script every so often to identify and make ownership changes or use a cron job to automate it. I would however advise against the latter to have complete control of changes.
#!/bin/bash
#This script is intended to replace all search/alerts/reports owned by "No owner" aka nobody
#Timestamp used for logs
_now=$(date +"%Y-%m-%d %H:%M:%S")
############################
#Required Information Needed
############################
#Log Path
log_dir=/opt/scripts/logs
#Owners
ORIG_OWNER=nobody
NEW_OWNER=saved-search-user
Sub_Path="saved/searches"
# Other Sub_Path options #
# saved/searches
# saved/eventtypes
# saved/fvtags
# data/lookup-table-files
# data/transforms/lookups
# data/transforms/extractions
# data/props/lookups
# data/props/extractions
# data/ui/views
# data/ui/nav
# data/inputs/script
############################
#End of required Information
############################
echo ""
echo "Abort this script if you have not checked what will be changed, run the script with line 52 and 53 commented out"
echo "Please enter admin's password (Note: Password is invisiable, just press [Enter] after typed): "
read -s password
echo "Note: The previous password request is for the script which is needed on every run. Once every hour (default session timeout) splunk will request its own login of admin. "
# Reference: http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API
# Be careful ! REST does not have a good error checking. You might mess up the result by mistake.
# Note: if sharing is not specified, you're trying to make it as global. But, if the object is private, you cannot change permission to global implicitly, and get error.
# Note: This will return REST call return. I'm not showing the returns here (header names)
for i in `/opt/splunk/bin/./splunk search "| rest splunk_server=local /servicesNS/-/-/$Sub_Path
| table eai:acl.sharing eai:acl.owner id
| rename eai:acl.owner as owner, eai:acl.sharing AS sharing
| search owner=\"$ORIG_OWNER\"
| eval I = sharing + \"::\" + id
| fields I " \
| grep http`;
do echo $i;
SHARING=$( echo $i | grep -oP "^.*(?=::)" ) ;
URL=$(echo $i | grep -oP "(?<=::).*$" ) ;
# To identify what will be changed first, comment out the following two rows
#echo $_now "-" $SHARING $URL >> $log_dir/owner_change.log;
#curl -k -u admin:$password $URL/acl -d owner=$NEW_OWNER -d sharing=$SHARING ;
done