In the following page, we are unable to change the ownership of a saved search -
Where can we do it?
If you have filesystem access to the search head, you can change it in $SPLUNK_HOME/etc/apps/yourapp/metadata/local.meta
.
Look for the stanza starting with [savedsearches/45%20Day%20AuthFailures]
and replace owner = admin
with the value of the username you would like to have own the search.
Note: After doing this, you will probably need to visit https://your.search.head/en-US/debug/refresh to make Splunk pick up the change in the config file.
Also look at the REST API method of doing the same (requirement: the current owner should be a valid user). This is helpful for SHC as well as avoids file changes and refresh/restart of Splunk.
https://answers.splunk.com/answers/295303/how-do-i-change-the-owner-of-a-saved-search-or-vie.html
Gorgeous @somesoni2.
If you have filesystem access to the search head, you can change it in $SPLUNK_HOME/etc/apps/yourapp/metadata/local.meta
.
Look for the stanza starting with [savedsearches/45%20Day%20AuthFailures]
and replace owner = admin
with the value of the username you would like to have own the search.
Note: After doing this, you will probably need to visit https://your.search.head/en-US/debug/refresh to make Splunk pick up the change in the config file.
Perfect @elliotproebstel. I see it!!!
[savedsearches/<name>]
export = none
owner = admin
version = 6.5.2
modtime = 1509563343.905030000