How do you change the owner of a saved search using Splunk Python SDK?

New Member

I've scoured the net trying to figure out how to create a saved search via the Splunk Python SDK and change user to "nobody" to place it in the global visibility realm. I've successfully been able to create the search using the SDK documentation, but have hit a wall when it comes to changing the owner of the search.

I know this can be done easily using cURL, but that's not supported by Python or the SDK and I'm trying to avoid external calls. There have been several answers to this, but many of them our outdated with libraries that are no longer supported.

Currently I'm trying to use the requests library in Python with the following code. While I am able to perform a get with successfully the post is met with a 403 error. I think my issue is with the post command, but I'm just not sure.

def modify_perms(ss):
    url = "https://localhost:8089/servicesNS/%s/search/saved/searches/%s/acl" % ("api", ss)
    response =, auth=('api', 'password'), verify=False, data="owner=nobody")
    print response.status_code

0 Karma


Here is what I have used, it may help you solve your situation. If it does please accept the answer/up vote if appropriate !

Here is a script I've used to re-own items on the command line (it's a mass re-own but the calls provide hints of which REST endpoints you will need to hit to do what you want to do):


if [ $# -lt 1 ]; then
  echo "Please pass in the username to work on"
  echo "Please pass in a 2nd argument to actually run otherwise this runs in debug mode"

if [ $# -eq 2 ]; then

grep -R $username /opt/splunk/etc/* | grep -v "\.js" | grep -E "\.meta|\.conf" | cut -d ":" -f1 | sort | uniq > /tmp/allFilesFoundToReown.txt
for aFile in `cat /tmp/allFilesFoundToReown.txt`; do
  echo $aFile
  #Hardcoding because /opt/splunk/etc/apps/<appName>
  app=`echo $aFile | cut -d "/" -f 6`
  #Extract the lines for [views/...] or similar and combine it with the "owner = " line somewhere below it if it should exist
  #Then remove the [ ] around the view/props/savedsearch
  grep -E "^\[|owner" $aFile | sed -e ':a' -e 'N' -e '$!ba' -e 's/\nowner/ owner/g' | grep $username | cut -d "]" -f1 | cut -d "[" -f2 > /tmp/allEntitiesToReown.txt

  #For each entity we have to reown them
  for entity in `cat /tmp/allEntitiesToReown.txt`; do
    entityType=`echo $entity | cut -d "/" -f1`
    entityName=`echo $entity | cut -d "/" -f2`
    entityName2=`echo $entity | cut -d "/" -f3`

    if [ "$entityType" = "savedsearches" ] ; then
        echo "Saved search"
        sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1`
        echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
        if [ $debugMode = "false" ]; then
            $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
    elif [ "$entityType" = "views" ] ; then
        echo "view type"
        sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1`
        echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
        if [ $debugMode = "false" ]; then
            $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
    #Props are 3 level deep
    elif [ "$entityType" = "props" ] ; then
        echo "props type"
        echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2"
        sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1`
        echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2/acl" -post:owner $newOwner -post:sharing $sharing
        if [ $debugMode = "false" ]; then
            $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2/acl" -post:owner $newOwner -post:sharing $sharing

Here's another script that I've written in python and partially borrowed from online articles:

import urllib
import urllib2
import ssl
import base64

#Send a request using a POST command to the required URL
#SSL checking is disabled due to use of the self-signed certificates
def sendrequest(values, server, url):
    ctx = ssl.create_default_context()
    ctx.check_hostname = False
    ctx.verify_mode = ssl.CERT_NONE
    data = urllib.urlencode(values)
    req = urllib2.Request(server + url, data)

    req.add_header("Authorization", "Basic %s" % base64string)
    response = urllib2.urlopen(req, context=ctx)
    the_page =

I then do something similar to:

#Splunk username/password
username = "yourusername"
password = "yourpassword"
base64string = base64.encodestring('%s:%s' % (username, password)).replace('\n', '')

server = "https://localhost:8089/"

#Start by creating the connection, the identity already exists
url = "/servicesNS/nobody/splunkapp/endpoint"

#Actually send the request
sendrequest(values, server, url)

Hope that helps...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...