Security

Change App and Object Ownership

rgcurry
Contributor

One of my Splunk users has left the company. She owned an App and many saved searches, alerts, etc that all have her name on them. How can I change these to have the name of the new owner of this App? I considered just copying the contents of her $SPLUNK_HOME/etc/users/UserID/AppID/* to the new user's directory but he has already started to create 'stuff' and I did not want to overwrite his work. How might I get this done?

Tags (4)
1 Solution

sowings
Splunk Employee
Splunk Employee

If you utilize the Splunk Manager, changing the scope (permissions) of an object like a savedsearch, macro, UI view, etc, will move it around the filesystem for you. Consider changing it to have "application" scope, which will place it in the context of the owning application ($SPLUNK_HOME/etc/apps/<appname>), vs. the user tree, which only contains user-specific objects. Otherwise, copying the contents elsewhere (perhaps creating a new homegrown app?) will work, too.

View solution in original post

rgcurry
Contributor

I think maybe I was not clear on this -- the App ownership was not in itself the issue but the objects in the app (saved searches, alerts, etc). I figured out what I needed to by snooping based on what sowings mentioned in his previous post and confirmed my suspicion in his last post above. I had to edit the $SPLUNK_HOME/etc/apps/{AppsDir}/metadata/local.meta config file that has old owner’s ID and change each occurrence of that to the new ower’s ID. The Search Head needs to be restarted for these changes to take effect.

Thank you sowings for guidance on this.

sowings
Splunk Employee
Splunk Employee

If you utilize the Splunk Manager, changing the scope (permissions) of an object like a savedsearch, macro, UI view, etc, will move it around the filesystem for you. Consider changing it to have "application" scope, which will place it in the context of the owning application ($SPLUNK_HOME/etc/apps/<appname>), vs. the user tree, which only contains user-specific objects. Otherwise, copying the contents elsewhere (perhaps creating a new homegrown app?) will work, too.

sowings
Splunk Employee
Splunk Employee

Ah, sorry, I misunderstood you. The ownership of an object is set in a file called either default.meta (default permissions) or local.meta (overrides). Both of these files live within the metadata/ subdirectory of a given application. The owner is just a field in that file, though I don't know a direct way in the Manager to make these changes. I'd find the local.meta file which contains the objects you want to chown, edit the owner = part, and restart splunk. I just did a simple test, and the new owner is reflected in the Manager.

dvg06
Path Finder

This solution did not work for me, but moving tags.conf and props.conf files from user-apps local directory to newuser-apps local directory worked for me.

0 Karma

jim_george
New Member

Hi sowings.. this solution worked perfectly for me as well. Employee left the company and alerts stopped working after AD synced with splunk. Changed the owner by editing the local.meta file mentioned above and alerts are back in action. Thanks a ton for the tip.

0 Karma

rgcurry
Contributor

It's not the scope I need to change -- the App's objects are already set to App level permission for sharing. In Manager / Apps, this App shows up with this former user's ID as the owner. I have been asked to change that to the current "owner". The alternative to copying to a new area of the file system does not seem to be the answer either as I will have the same files and their content, just now in a different place.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk Life | Splunk is Officially Part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint. Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...