Getting Data In

How do I get the learned app to set owner to a valid user?

dleifer_mercury
New Member

The learned app is creating objects owned by "nobody". This creates logged error messages about

ERROR AuthenticationManagerLDAP - Could not find user="nobody" with strategy="??????""  (????? is my own...)

I can find these with:

find ./ -name local.meta -exec grep -H 'nobody' {} \;

and they are coming from the learned app. I guess I would like to assign them to "admin" and have learned create further new sourcetypes with owner=admin. I can reassign existing ones with

find ./ -name local.meta -exec sed -i 's/owner = nobody/owner = admin/g' {} \;

How do I get future learned sourcetypes to default the owner to admin? (If defaulting the ownership to admin isn't good then please point out why and I will choose a different default user.)

0 Karma

Powers64
Explorer

Hi dleifer_mercury,

I have written a script that changes the owner. I used on the code from here and modified it for my use. This script will look for all files owned by a user from a specific objects, ex. Saved search. The type of object can be changed however manually this is to prevent errors. I would run this script every so often to identify and make ownership changes or use a cron job to automate it. I would however advise against the latter to have complete control of changes.

#!/bin/bash
#This script is intended to replace all search/alerts/reports owned by "No owner" aka nobody

#Timestamp used for logs
_now=$(date +"%Y-%m-%d %H:%M:%S")

############################
#Required Information Needed
############################
#Log Path
log_dir=/opt/scripts/logs

#Owners
ORIG_OWNER=nobody
NEW_OWNER=saved-search-user
Sub_Path="saved/searches"
# Other Sub_Path options #
# saved/searches
# saved/eventtypes
# saved/fvtags
# data/lookup-table-files
# data/transforms/lookups
# data/transforms/extractions
# data/props/lookups
# data/props/extractions
# data/ui/views
# data/ui/nav
# data/inputs/script
############################
#End of required Information
############################

echo ""
echo "Abort this script if you have not checked what will be changed, run the script with line 52 and 53 commented out"
echo "Please enter admin's password (Note: Password is invisiable, just press [Enter] after typed): "
read -s password

echo "Note: The previous password request is for the script which is needed on every run. Once every hour (default session timeout) splunk will request its own login of admin. "

# Reference: http://wiki.splunk.com/Community:How_to_change_owner_of_savedsearches_using_REST_API
# Be careful ! REST does not have a good error checking. You might mess up the result by mistake.
# Note: if sharing is not specified, you're trying to make it as global. But, if the object is private, you cannot change permission to global implicitly, and get error.
# Note: This will return REST call return. I'm not showing the returns here (header names)

for i  in `/opt/splunk/bin/./splunk search "| rest splunk_server=local /servicesNS/-/-/$Sub_Path
            | table eai:acl.sharing eai:acl.owner id
            | rename eai:acl.owner as owner, eai:acl.sharing AS sharing
            | search owner=\"$ORIG_OWNER\"
            | eval I = sharing + \"::\" + id
            | fields I " \
            | grep http`;
do echo $i;
SHARING=$( echo $i | grep -oP "^.*(?=::)" ) ;
URL=$(echo $i | grep -oP "(?<=::).*$" ) ;

# To identify what will be changed first, comment out the following two rows
#echo $_now "-" $SHARING $URL >> $log_dir/owner_change.log;
#curl -k -u admin:$password $URL/acl -d owner=$NEW_OWNER -d sharing=$SHARING ;
done
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...