Is this able to be done on the search line using the rest command? I can use the rest command to return all the saved searches but not sure how I can add the request body?

Hi @klim,

Unfortunately, not.

| rest can only be used to perform GET requests. You cannot use any other HTTP method.

If you want to do this with a Splunk search (and not a different program like curl) then I would consider a custom command / alert action. There is some old stuff kicking around on Splunkbase that might be able to help but I haven't seen anything that is supported on Splunk 9.x.

I was trying to just see the permissions with the curl of a private saved search but I always return a 

"Could not find object id=abc"

Is it not possible to see private objects permissions with an admin user?

curl -k -u username:password https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/abc/acl

Edit: Figured it out. I needed to change the username in the url from admin to the owner of the saved search.

curl -k -u username:password https://127.0.0.1:8089/servicesNS/admin/search/saved/searches/abc/acl

The servicesNS API (services namespace) explicitly uses user/app contexts (namespaces) to fetch results.

servicesNS/<<user>>/<<app>>

In order for the abc search to be shown, it must be visible to that <<user>> in that <<app>>.

You can use the servicesNS/-/-/ endpoint to return all namespace contexts e.g:

curl -k -u username:password https://127.0.0.1:8089/servicesNS/-/-/saved/searches/abc/acl

Darn. Thanks for your help. Probably will go down the custom command route.

https://splunkbase.splunk.com/app/4146

Webtools TA has a custom curl command and can do POST - it's a bit tricky sometimes to get the right data into the headers and body as I believe there was once a bug in the extracting of JSON data used for headers, but if you know python, it's easy enough to tweak it.