×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Ravencross
New Member
Member since: ‎03-08-2017
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-08-2017
View All

Re: How do you change the owner of a saved search ...

by SplunkTrust in Security
‎03-13-2017 06:02 PM
‎03-13-2017 06:02 PM
Here is what I have used, it may help you solve your situation. If it does please accept the answer/up vote if appropriate ! Here is a script I've used to re-own items on the command line (it's a mass re-own but the calls provide hints of which REST endpoints you will need to hit to do what you want to do): #!/bin/sh if [ $# -lt 1 ]; then echo "Please pass in the username to work on" echo "Please pass in a 2nd argument to actually run otherwise this runs in debug mode" fi debugMode="true" if [ $# -eq 2 ]; then debugMode="false" fi username="$1" newOwner="admin" grep -R $username /opt/splunk/etc/* | grep -v "\.js" | grep -E "\.meta|\.conf" | cut -d ":" -f1 | sort | uniq > /tmp/allFilesFoundToReown.txt for aFile in `cat /tmp/allFilesFoundToReown.txt`; do echo $aFile #Hardcoding because /opt/splunk/etc/apps/<appName> app=`echo $aFile | cut -d "/" -f 6` #Extract the lines for [views/...] or similar and combine it with the "owner = " line somewhere below it if it should exist #Then remove the [ ] around the view/props/savedsearch grep -E "^\[|owner" $aFile | sed -e ':a' -e 'N' -e '$!ba' -e 's/\nowner/ owner/g' | grep $username | cut -d "]" -f1 | cut -d "[" -f2 > /tmp/allEntitiesToReown.txt #For each entity we have to reown them for entity in `cat /tmp/allEntitiesToReown.txt`; do entityType=`echo $entity | cut -d "/" -f1` entityName=`echo $entity | cut -d "/" -f2` entityName2=`echo $entity | cut -d "/" -f3` if [ "$entityType" = "savedsearches" ] ; then echo "Saved search" sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1` echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName/acl" -post:owner $newOwner -post:sharing $sharing if [ $debugMode = "false" ]; then $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName/acl" -post:owner $newOwner -post:sharing $sharing fi elif [ "$entityType" = "views" ] ; then echo "view type" sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1` echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName/acl" -post:owner $newOwner -post:sharing $sharing if [ $debugMode = "false" ]; then $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName/acl" -post:owner $newOwner -post:sharing $sharing fi #Props are 3 level deep elif [ "$entityType" = "props" ] ; then echo "props type" echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2" sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1` echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2/acl" -post:owner $newOwner -post:sharing $sharing if [ $debugMode = "false" ]; then $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2/acl" -post:owner $newOwner -post:sharing $sharing fi fi done done Here's another script that I've written in python and partially borrowed from online articles: import urllib import urllib2 import ssl import base64 #Send a request using a POST command to the required URL #SSL checking is disabled due to use of the self-signed certificates def sendrequest(values, server, url): ctx = ssl.create_default_context() ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE data = urllib.urlencode(values) req = urllib2.Request(server + url, data) req.add_header("Authorization", "Basic %s" % base64string) response = urllib2.urlopen(req, context=ctx) the_page = response.read() I then do something similar to: #Splunk username/password username = "yourusername" password = "yourpassword" base64string = base64.encodestring('%s:%s' % (username, password)).replace('\n', '') server = "https://localhost:8089/" #Start by creating the connection, the identity already exists url = "/servicesNS/nobody/splunkapp/endpoint" #Actually send the request sendrequest(values, server, url) Hope that helps... ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM