Solved: Change App and Object Ownership

rgcurry · ‎04-24-2012

One of my Splunk users has left the company. She owned an App and many saved searches, alerts, etc that all have her name on them. How can I change these to have the name of the new owner of this App? I considered just copying the contents of her $SPLUNK_HOME/etc/users/UserID/AppID/* to the new user's directory but he has already started to create 'stuff' and I did not want to overwrite his work. How might I get this done?

sowings · ‎04-24-2012

If you utilize the Splunk Manager, changing the scope (permissions) of an object like a savedsearch, macro, UI view, etc, will move it around the filesystem for you. Consider changing it to have "application" scope, which will place it in the context of the owning application ($SPLUNK_HOME/etc/apps/<appname>), vs. the user tree, which only contains user-specific objects. Otherwise, copying the contents elsewhere (perhaps creating a new homegrown app?) will work, too.

View solution in original post

rgcurry · ‎04-24-2012

I think maybe I was not clear on this -- the App ownership was not in itself the issue but the objects in the app (saved searches, alerts, etc). I figured out what I needed to by snooping based on what sowings mentioned in his previous post and confirmed my suspicion in his last post above. I had to edit the $SPLUNK_HOME/etc/apps/{AppsDir}/metadata/local.meta config file that has old owner’s ID and change each occurrence of that to the new ower’s ID. The Search Head needs to be restarted for these changes to take effect.

Thank you sowings for guidance on this.

sowings · ‎04-24-2012

If you utilize the Splunk Manager, changing the scope (permissions) of an object like a savedsearch, macro, UI view, etc, will move it around the filesystem for you. Consider changing it to have "application" scope, which will place it in the context of the owning application ($SPLUNK_HOME/etc/apps/<appname>), vs. the user tree, which only contains user-specific objects. Otherwise, copying the contents elsewhere (perhaps creating a new homegrown app?) will work, too.

sowings · ‎04-24-2012

Ah, sorry, I misunderstood you. The ownership of an object is set in a file called either default.meta (default permissions) or local.meta (overrides). Both of these files live within the metadata/ subdirectory of a given application. The owner is just a field in that file, though I don't know a direct way in the Manager to make these changes. I'd find the local.meta file which contains the objects you want to chown, edit the owner = part, and restart splunk. I just did a simple test, and the new owner is reflected in the Manager.

dvg06 · ‎01-27-2016

This solution did not work for me, but moving tags.conf and props.conf files from user-apps local directory to newuser-apps local directory worked for me.

jim_george · ‎12-29-2014

Hi sowings.. this solution worked perfectly for me as well. Employee left the company and alerts stopped working after AD synced with splunk. Changed the owner by editing the local.meta file mentioned above and alerts are back in action. Thanks a ton for the tip.

rgcurry · ‎04-24-2012

It's not the scope I need to change -- the App's objects are already set to App level permission for sharing. In Manager / Apps, this App shows up with this former user's ID as the owner. I have been asked to change that to the current "owner". The alternative to copying to a new area of the file system does not seem to be the answer either as I will have the same files and their content, just now in a different place.

Change App and Object Ownership

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?