Security
Highlighted

Change App and Object Ownership

Contributor

One of my Splunk users has left the company. She owned an App and many saved searches, alerts, etc that all have her name on them. How can I change these to have the name of the new owner of this App? I considered just copying the contents of her $SPLUNK_HOME/etc/users/UserID/AppID/* to the new user's directory but he has already started to create 'stuff' and I did not want to overwrite his work. How might I get this done?

Tags (4)
Highlighted

Re: Change App and Object Ownership

Splunk Employee
Splunk Employee

If you utilize the Splunk Manager, changing the scope (permissions) of an object like a savedsearch, macro, UI view, etc, will move it around the filesystem for you. Consider changing it to have "application" scope, which will place it in the context of the owning application ($SPLUNK_HOME/etc/apps/<appname>), vs. the user tree, which only contains user-specific objects. Otherwise, copying the contents elsewhere (perhaps creating a new homegrown app?) will work, too.

View solution in original post

Highlighted

Re: Change App and Object Ownership

Contributor

It's not the scope I need to change -- the App's objects are already set to App level permission for sharing. In Manager / Apps, this App shows up with this former user's ID as the owner. I have been asked to change that to the current "owner". The alternative to copying to a new area of the file system does not seem to be the answer either as I will have the same files and their content, just now in a different place.

0 Karma
Highlighted

Re: Change App and Object Ownership

Splunk Employee
Splunk Employee

Ah, sorry, I misunderstood you. The ownership of an object is set in a file called either default.meta (default permissions) or local.meta (overrides). Both of these files live within the metadata/ subdirectory of a given application. The owner is just a field in that file, though I don't know a direct way in the Manager to make these changes. I'd find the local.meta file which contains the objects you want to chown, edit the owner = part, and restart splunk. I just did a simple test, and the new owner is reflected in the Manager.

Highlighted

Re: Change App and Object Ownership

New Member

Hi sowings.. this solution worked perfectly for me as well. Employee left the company and alerts stopped working after AD synced with splunk. Changed the owner by editing the local.meta file mentioned above and alerts are back in action. Thanks a ton for the tip.

0 Karma
Highlighted

Re: Change App and Object Ownership

Path Finder

This solution did not work for me, but moving tags.conf and props.conf files from user-apps local directory to newuser-apps local directory worked for me.

0 Karma
Highlighted

Re: Change App and Object Ownership

Contributor

I think maybe I was not clear on this -- the App ownership was not in itself the issue but the objects in the app (saved searches, alerts, etc). I figured out what I needed to by snooping based on what sowings mentioned in his previous post and confirmed my suspicion in his last post above. I had to edit the $SPLUNK_HOME/etc/apps/{AppsDir}/metadata/local.meta config file that has old owner’s ID and change each occurrence of that to the new ower’s ID. The Search Head needs to be restarted for these changes to take effect.

Thank you sowings for guidance on this.