Splunk Search

How do we reassign Knowledge Objects owned by a user to another user via api ? is it possible ?

arvind_Sugajeev
Explorer

We have the "Reassign Knowledge Objects" option via SplunkCloud portal in the settings but is it possible to do it via API ?

We need to do this for all KO's owner by a specific user.

Labels (1)
0 Karma

deepakc
Builder

Find your Knowledge object and the owner - look at the below example and change as to your requirments.

example
curl -k -u admin_user:password https://<MY_CLOUD_STACK>splunkcloud.com:8089/servicesNS/nobody/YOU_APP/saved/searches/my_search/acl -d 'owner=new_user'-d 'sharing=global' -X POST

Heres some further help on ACL in cloud
https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/RESTTUT/RESTbasicexamples

arvind_Sugajeev
Explorer

Is there anyway to reassign all the Knowledge Objects owner by a specific user ? instead of transferring one Knowledge object at a time ?


Also, is the "/my_search" in the example mentioned below the title of the Knowledge Object ?

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Also, is the "/my_search" in the example mentioned below the title of the Knowledge Object ?

Not quite.  @deepakc only gave saved searches (aka reports) as an example.  "my_search" is a URL encoded string of the title.  In the example, "https://<MY_CLOUD_STACK>splunkcloud.com:8089/servicesNS/nobody/YOU_APP/saved/searches/my_search"  is one property internally known as id.


Is there anyway to reassign all the Knowledge Objects owner by a specific user ? instead of transferring one Knowledge object at a time ?

Yes.  To continue the example with saved searches, you can use this search to find all id's owned by the old user "old_user".

 

 

| rest /servicesNS/-/-/saved/searches/
| search eai:acl.owner = "old_user"
| fields id

 

 

Example output could be (taken from owner nobody on a standard deployment)

id
https://127.0.0.1:8089/servicesNS/nobody/search/saved/searches/Bucket%20Merge%20Retrieve%20Conf%20Se...
https://127.0.0.1:8089/servicesNS/nobody/SplunkDeploymentServerConfig/saved/searches/DeploymentServe...
https://127.0.0.1:8089/servicesNS/nobody/SplunkDeploymentServerConfig/saved/searches/DeploymentServe...
https://127.0.0.1:8089/servicesNS/nobody/SplunkDeploymentServerConfig/saved/searches/DeploymentServe...
https://127.0.0.1:8089/servicesNS/nobody/SplunkDeploymentServerConfig/saved/searches/DeploymentServe...
https://127.0.0.1:8089/servicesNS/nobody/SplunkDeploymentServerConfig/saved/searches/DeploymentServe...
https://127.0.0.1:8089/servicesNS/nobody/SplunkDeploymentServerConfig/saved/searches/DeploymentServe...

Then, program a script using these values to update these saved searches to new user.

To update other knowledge objects, consult REST API Reference Manual, especially Knowledge endpoint descriptions to find out how to retrieve their id's by owner. (Note saved searches is described in Search endpoint descriptions instead.)

Hope this helps.

arvind_Sugajeev
Explorer

Thanks @yuanliu i understand it now, im able to get the id for all the knowledge objects owned by the user now

However im still not able to change the owner for the knowledge object via the rest command, i get the following error " <msg type="ERROR">You do not have permission to share objects at the system level</msg> </messages> "

My user account has the sc_admin role so permission should not be an issue, am i missing something ?

Any help is really appreciated

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...