Splunk Search

How to change the permissions of a saved search from the CLI

sadon
Explorer

I add a new saved search by CLI splunk:

./splunk add saved-search -search 'ERROR*' -name 'ERROR chart' -schedule '0 * * * *' -alert true

and by default I have a permission 'Keep private'

how to edit or add with

- 'This app only (search)',
- 'All apps'

permissions? without usage GUI.

Tags (4)

DEAD_BEEF
Builder

Solution working in Splunk v7.0
To change an existing report permissions from private to sharing

curl -k -u admin:pass https://localhost:8089/servicesNS/{user}/{app}/saved/searches/{search%20name}/acl -d owner={user} -d sharing=app
0 Karma

hexx
Splunk Employee
Splunk Employee

If you cannot use the UI at all, you'll need to POST to the /servicesNS/{user}/{app}/saved/searches/{search name}/acl REST API endpoint and update the value of the sharing key in the eai:acl properties from "user" to "app" or "global".

In the example below, I am changing the sharing property from "user" to "app" for a saved search named "_internal errors - last 15 minutes" which is private and belongs to user "odisciullo" in app "search":

$SPLUNK_HOME/bin/splunk _internal call '/servicesNS/odisciullo/search/saved/searches/_internal%20errors%20-%20last%2015%20minutes/acl' -post:owner odisciullo -post:sharing app

After this change, any user can run that saved search from within the context of the "search" app.

nnmiller
Contributor

Just a note--I tried hexx's method in 6.6.0 and it failed with <msg type="ERROR">You do not have permission to share objects at the system level</msg> even though I was attempting it as admin.

Instead, I had to use the methods covered in the documentation on REST ACLs, involving curl.

DEAD_BEEF
Builder

Can you share what the curl command was?

EDIT: curl -k -u admin:pass https://localhost:8089/servicesNS/{user}/{app}/saved/searches/{search%20name}/acl -d owner=alice -d sharing=app

0 Karma

horsefez
SplunkTrust
SplunkTrust

@DEAD_BEEF,

I don't want to discourage you from getting your answer, but for answers that are that far back it most likely is better to just ask a new question as to try to restart the conversation.

It can also help to use @ in front of the username to notify the user that he or she was mentioned by someone somewhere on this site. @nnmiller

Regards,
pyro_wood

DEAD_BEEF
Builder

@pyro_wood Gotcha. I updated my comment with the answer for future readers.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...