Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to change saved search permissions via python ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
I am looking for a way to change permissions to a saved search via splunk python SDK.
I tried using the splunklib.client post method:
import splunklib.client as client
app = "app_name"
cred = {"user": "admin", "password": "changeme", "port": 8089, "host": "localhost","owner":"admin"}
service = client.connect(app=app,**cred)
service.post('saved/searches/report_name/acl', sharing="app" )
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 238, in wrapper
return request_fun(self, *args, **kwargs)
File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 62, in new_f
val = f(*args, **kwargs)
File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 657, in post
response = self.http.post(path, all_headers, **query)
File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 1089, in post
return self.request(url, message)
File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 1109, in request
raise HTTPError(response)
splunklib.binding.HTTPError: HTTP 404 Not Found --
In handler 'savedsearch': Could not find object id=report_name
When i try using curl i get no problem:
curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/app_name/saved/searches/report_name/acl -d sharing=app
Maybe i am doing something wrong? Or maybe there is other way to do it and i am missing it?
Regards,
Dori
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't find a way to do with the splunklib.client object, but i was able to pass it using the answer to this question (see @flynt answer):
Note - Flynt answer is working but the URL there is wrong (or apply to older splunk version). See my comments there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You had the right idea to post to /acl, but you need to urlencode the parameters.
The following creates a new EventType then changes the permissions afterwards. There does not appear to be a way to assign the roles with the initial create method. The "/acl" link can be derived from links in the returned Stanza object.
from urllib.parse import urlencode
newperms = { "perms.read": "role name 1,role name 2, role name 3",
"perms.write": "role name 1, role name 2",
"sharing": "app", "owner": "nobody"
}
newet = sdk.confs["eventtypes"].create("test_event_type",sharing="app",app="custom_app")
sdk.post("%s/%s" % (newet.links["alternate"], "acl"), body=urlencode(newperms))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't find a way to do with the splunklib.client object, but i was able to pass it using the answer to this question (see @flynt answer):
Note - Flynt answer is working but the URL there is wrong (or apply to older splunk version). See my comments there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your comment @dorilevy, however that example does indeed include the correct URL.
"https://localhost:8089/servicesNS/%s/search/saved/searches/%s/acl" % ("admin", ss)
request = urllib2.Request( url )
It's important to remember the app context the saved search resides in otherwise you will run into an issue where the saved search is not found. For example if I had an app named "MYAPP" and a saved search named "MYSEARCH" the url should reflect that.
https://localhost:8089/servicesNS/admin/MYAPP/saved/searches/MYSEARCH/acl
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @flynt,
You are correct. i missed the app context (my app is not search, that is why i thought it is mistake). Sorry about it, and again - thanks for the solution.
Dori
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
