Security
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

How do you change the owner of a saved search using Splunk Python SDK?

Ravencross
New Member

I've scoured the net trying to figure out how to create a saved search via the Splunk Python SDK and change user to "nobody" to place it in the global visibility realm. I've successfully been able to create the search using the SDK documentation, but have hit a wall when it comes to changing the owner of the search.

I know this can be done easily using cURL, but that's not supported by Python or the SDK and I'm trying to avoid external calls. There have been several answers to this, but many of them our outdated with libraries that are no longer supported.

Currently I'm trying to use the requests library in Python with the following code. While I am able to perform a get with successfully the post is met with a 403 error. I think my issue is with the post command, but I'm just not sure.

def modify_perms(ss):
    url = "https://localhost:8089/servicesNS/%s/search/saved/searches/%s/acl" % ("api", ss)
    response = requests.post(url, auth=('api', 'password'), verify=False, data="owner=nobody")
    print response.status_code

modify_perms("Test")
0 Karma

gjanders
SplunkTrust
SplunkTrust

Here is what I have used, it may help you solve your situation. If it does please accept the answer/up vote if appropriate !

Here is a script I've used to re-own items on the command line (it's a mass re-own but the calls provide hints of which REST endpoints you will need to hit to do what you want to do):

#!/bin/sh

if [ $# -lt 1 ]; then
  echo "Please pass in the username to work on"
  echo "Please pass in a 2nd argument to actually run otherwise this runs in debug mode"
fi

debugMode="true"
if [ $# -eq 2 ]; then
  debugMode="false"
fi

username="$1"
newOwner="admin"
grep -R $username /opt/splunk/etc/* | grep -v "\.js" | grep -E "\.meta|\.conf" | cut -d ":" -f1 | sort | uniq > /tmp/allFilesFoundToReown.txt
for aFile in `cat /tmp/allFilesFoundToReown.txt`; do
  echo $aFile
  #Hardcoding because /opt/splunk/etc/apps/<appName>
  app=`echo $aFile | cut -d "/" -f 6`
  #Extract the lines for [views/...] or similar and combine it with the "owner = " line somewhere below it if it should exist
  #Then remove the [ ] around the view/props/savedsearch
  grep -E "^\[|owner" $aFile | sed -e ':a' -e 'N' -e '$!ba' -e 's/\nowner/ owner/g' | grep $username | cut -d "]" -f1 | cut -d "[" -f2 > /tmp/allEntitiesToReown.txt

  #For each entity we have to reown them
  for entity in `cat /tmp/allEntitiesToReown.txt`; do
    entityType=`echo $entity | cut -d "/" -f1`
    entityName=`echo $entity | cut -d "/" -f2`
    entityName2=`echo $entity | cut -d "/" -f3`

    if [ "$entityType" = "savedsearches" ] ; then
        echo "Saved search"
        sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1`
        echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
        if [ $debugMode = "false" ]; then
            $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
        fi
    elif [ "$entityType" = "views" ] ; then
        echo "view type"
        sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1`
        echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
        if [ $debugMode = "false" ]; then
            $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
        fi
    #Props are 3 level deep
    elif [ "$entityType" = "props" ] ; then
        echo "props type"
        echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2"
        sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1`
        echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2/acl" -post:owner $newOwner -post:sharing $sharing
        if [ $debugMode = "false" ]; then
            $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2/acl" -post:owner $newOwner -post:sharing $sharing
        fi
    fi
  done
done

Here's another script that I've written in python and partially borrowed from online articles:

import urllib
import urllib2
import ssl
import base64

#Send a request using a POST command to the required URL
#SSL checking is disabled due to use of the self-signed certificates
def sendrequest(values, server, url):
    ctx = ssl.create_default_context()
    ctx.check_hostname = False
    ctx.verify_mode = ssl.CERT_NONE
    data = urllib.urlencode(values)
    req = urllib2.Request(server + url, data)

    req.add_header("Authorization", "Basic %s" % base64string)
    response = urllib2.urlopen(req, context=ctx)
    the_page = response.read()

I then do something similar to:

#Splunk username/password
username = "yourusername"
password = "yourpassword"
base64string = base64.encodestring('%s:%s' % (username, password)).replace('\n', '')

server = "https://localhost:8089/"

#Start by creating the connection, the identity already exists
url = "/servicesNS/nobody/splunkapp/endpoint"

#Actually send the request
sendrequest(values, server, url)

Hope that helps...

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!