Reporting

How do I change the owner of a saved search?

aware74
Explorer

I don't see any way to do it within the UI, and I'm not sure how to do it on the actual Splunk server.

We are running Splunk 4.3.

Thanks,
Mike

Tags (2)
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

You can update the metadata in the location where the savedsearches.conf file exists. For instance, I've got a saved search in $SPLUNK_HOME/etc/apps/search/local, I can change the owner in $SPLUNK_HOME/etc/apps/search/metadata/local.meta

If I take this:

[savedsearches/mysearch]
export = none
owner = admin
version = 4.3.1
modtime = 1334164870.793299000

and edit it to this:

[savedsearches/mysearch]
export = none
owner = userx
version = 4.3.1
modtime = 1334164870.793299000

Now 'userx' is the owner, and not admin.

View solution in original post

woodcock
Esteemed Legend

gn694
Communicator

If you cant restart the Splunk service, it looks like Splunk will automatically reload the meta file info in some (unknown) time interval. I changed the owner for a bunch of saved searches. The changes did not appear in the GUI immediately, and I was not able to restart the Splunk service (doing so would cause a temporary service outage and affect those running searches.) Within half an hour I refreshed the Saved Searches page in my web browserand all of the new owners appeared.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

You can update the metadata in the location where the savedsearches.conf file exists. For instance, I've got a saved search in $SPLUNK_HOME/etc/apps/search/local, I can change the owner in $SPLUNK_HOME/etc/apps/search/metadata/local.meta

If I take this:

[savedsearches/mysearch]
export = none
owner = admin
version = 4.3.1
modtime = 1334164870.793299000

and edit it to this:

[savedsearches/mysearch]
export = none
owner = userx
version = 4.3.1
modtime = 1334164870.793299000

Now 'userx' is the owner, and not admin.

dglinder
Path Finder

If you can't restart the splunkd process, calling the URL "http://SplunkServer:8000/en-US/debug/refresh" will force the Splunk process to re-read the meta file information.

dgavic
Explorer

After changing the ownership of a saved search in the local.meta file, and restarting Splunk the ownership of a saved search was changed successfully. Thank you for the great tip.

0 Karma

piebob
Splunk Employee
Splunk Employee

the only thing i can think of is that maybe you changed the wrong local.metadata file?

0 Karma

aware74
Explorer

I did the same exact thing, restarted the Splunk server, and I'm still the owner of the searches even though I changed the owner to a different account.

Thanks,
Mike

0 Karma

Giggs
New Member

Tried this but still same result, no owner in gui, do i need to do something else besides doing a restart av splunk?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...