Splunk Dev

Python - ReSave Splunk (existing) Knowledge Objects without any changes

vamsigurram
Path Finder

I have a task to move All users (except admins, nobody) KOs (Knowledge Objects) from search app, to their own apps.
When I try to move the KO, I get below error.

Replication-related issue: Cannot move asset lacking a pre-existing asset ID

Online search shows, work around for this.
We just re-save the splunk KO and them move it (to other app).
But problem is we have thousands of splunk KOs. There is no way we can manually do this.

I tired to automate with python script.
I did not see rest endpoint "/save" or /re-save

Endpoints for Views:

    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="list"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="edit"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="remove"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/move" rel="move"/>

I see /move but not /save.

Need help, finding rest endpoint, so that I can script (The save, with NO changes and Move), for all Splunk KOs (Savedsearches, Views, Eventtypes, etc...) for users.

Labels (2)
0 Karma
1 Solution

vamsigurram
Path Finder

This code seems to  be working.

Assigning same existing KO's owner and sharing details, in the payload is saving the splunk KO.

headers = {
    "content-type""application/x-www-form-urlencoded",    
    "Authorization""Splunk %s" % sessionkey               
    }
    payload={
        'owner': ko['owner'],
        'sharing': ko['sharing']                
    }
    res = requests.post(url,headers=headers, data=payload, verify = False)

View solution in original post

0 Karma

thambisetty
SplunkTrust
SplunkTrust

@vamsigurram 

Try moving one user object from UI and check in below two log files if you see any GET/POST requests:

/opt/splunk/var/log/splunk/splunkd_ui_access.log
/opt/splunk/var/log/splunk/web_access.log

————————————
If this helps, give a like below.
0 Karma

vamsigurram
Path Finder

This code seems to  be working.

Assigning same existing KO's owner and sharing details, in the payload is saving the splunk KO.

headers = {
    "content-type""application/x-www-form-urlencoded",    
    "Authorization""Splunk %s" % sessionkey               
    }
    payload={
        'owner': ko['owner'],
        'sharing': ko['sharing']                
    }
    res = requests.post(url,headers=headers, data=payload, verify = False)
0 Karma

thambisetty
SplunkTrust
SplunkTrust

@vamsigurram 

I believe you can simply move below two directories to user app folder $SPLUNK_HOME/etc/users/users/<username>/search/local/ #place where user KO's are saved if they are private.

$SPLUNK_HOME/etc/users/users/<username>/search/metadata/ #place where permissions are maintained.

————————————
If this helps, give a like below.
0 Karma

vamsigurram
Path Finder

@thambisetty We have 30 search heads in the backend.

Moving hundreds of users local and meta folders, is giving us pause.
I am still leaning towards doing this through python script.

If we can do it (save Knowledge Object, without making any changes) from UI, then we should be able to do it, through REST endpoint.
Is there a way to see, what underlying endpoints, splunk UI is calling?
May be that will give us some pointers.

 

0 Karma

mwk1000
Path Finder

I also have been having "issues" , i have created a utility in python to extract all KO's for a list ( lookup table ) of users. It will clone all KO's to a designated target app. It works well for all objects until we decided to add a "disable source" option. This revealed that "global" objects were not truly being cloned but "acting" as if they are....

A part of the process calls the target to see if it already exists... This is always true for a "global" object returning no 404 error but instead a full result but examining past the atom links the ['entry'][0]['links'] all point back to the original app links....  I can even disable the source and enable the target .... a disaster waiting to happen. If I move the target app ( to the cloud for instance ) it has NONE of the relevant attribute to function ... like the base search ...

Is there any FULL documentation to the /move links since adding 'sharing'= app or global does not stop a new private object being created....  (as is suggested in Splunk rest doc's but the examples are VERY simplistic

0 Karma

mwk1000
Path Finder

Solved- after some trial and error the user was being fed in to the call since it was a required attribute BUT that triggers a user level save (private ) using "nobody" keeps it in the app... 

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...