Developing for Splunk Enterprise

Python - ReSave Splunk (existing) Knowledge Objects without any changes

vamsigurram
Path Finder

I have a task to move All users (except admins, nobody) KOs (Knowledge Objects) from search app, to their own apps.
When I try to move the KO, I get below error.

Replication-related issue: Cannot move asset lacking a pre-existing asset ID

Online search shows, work around for this.
We just re-save the splunk KO and them move it (to other app).
But problem is we have thousands of splunk KOs. There is no way we can manually do this.

I tired to automate with python script.
I did not see rest endpoint "/save" or /re-save

Endpoints for Views:

    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="list"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/_reload" rel="_reload"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="edit"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard" rel="remove"/>
    <link href="/servicesNS/admin/search/data/ui/views/my_dashboard/move" rel="move"/>

I see /move but not /save.

Need help, finding rest endpoint, so that I can script (The save, with NO changes and Move), for all Splunk KOs (Savedsearches, Views, Eventtypes, etc...) for users.

Labels (2)
0 Karma
1 Solution

vamsigurram
Path Finder

This code seems to  be working.

Assigning same existing KO's owner and sharing details, in the payload is saving the splunk KO.

headers = {
    "content-type""application/x-www-form-urlencoded",    
    "Authorization""Splunk %s" % sessionkey               
    }
    payload={
        'owner': ko['owner'],
        'sharing': ko['sharing']                
    }
    res = requests.post(url,headers=headers, data=payload, verify = False)

View solution in original post

0 Karma

thambisetty
Super Champion

@vamsigurram 

Try moving one user object from UI and check in below two log files if you see any GET/POST requests:

/opt/splunk/var/log/splunk/splunkd_ui_access.log
/opt/splunk/var/log/splunk/web_access.log

————————————
If this helps, give a like below.
0 Karma

vamsigurram
Path Finder

This code seems to  be working.

Assigning same existing KO's owner and sharing details, in the payload is saving the splunk KO.

headers = {
    "content-type""application/x-www-form-urlencoded",    
    "Authorization""Splunk %s" % sessionkey               
    }
    payload={
        'owner': ko['owner'],
        'sharing': ko['sharing']                
    }
    res = requests.post(url,headers=headers, data=payload, verify = False)

View solution in original post

0 Karma

thambisetty
Super Champion

@vamsigurram 

I believe you can simply move below two directories to user app folder $SPLUNK_HOME/etc/users/users/<username>/search/local/ #place where user KO's are saved if they are private.

$SPLUNK_HOME/etc/users/users/<username>/search/metadata/ #place where permissions are maintained.

————————————
If this helps, give a like below.
0 Karma

vamsigurram
Path Finder

@thambisetty We have 30 search heads in the backend.

Moving hundreds of users local and meta folders, is giving us pause.
I am still leaning towards doing this through python script.

If we can do it (save Knowledge Object, without making any changes) from UI, then we should be able to do it, through REST endpoint.
Is there a way to see, what underlying endpoints, splunk UI is calling?
May be that will give us some pointers.

 

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!