Splunk Search

How to change the permissions of a saved search from the CLI

sadon
Explorer

I add a new saved search by CLI splunk:

./splunk add saved-search -search 'ERROR*' -name 'ERROR chart' -schedule '0 * * * *' -alert true

and by default I have a permission 'Keep private'

how to edit or add with

- 'This app only (search)',
- 'All apps'

permissions? without usage GUI.

Tags (4)

DEAD_BEEF
Builder

Solution working in Splunk v7.0
To change an existing report permissions from private to sharing

curl -k -u admin:pass https://localhost:8089/servicesNS/{user}/{app}/saved/searches/{search%20name}/acl -d owner={user} -d sharing=app
0 Karma

hexx
Splunk Employee
Splunk Employee

If you cannot use the UI at all, you'll need to POST to the /servicesNS/{user}/{app}/saved/searches/{search name}/acl REST API endpoint and update the value of the sharing key in the eai:acl properties from "user" to "app" or "global".

In the example below, I am changing the sharing property from "user" to "app" for a saved search named "_internal errors - last 15 minutes" which is private and belongs to user "odisciullo" in app "search":

$SPLUNK_HOME/bin/splunk _internal call '/servicesNS/odisciullo/search/saved/searches/_internal%20errors%20-%20last%2015%20minutes/acl' -post:owner odisciullo -post:sharing app

After this change, any user can run that saved search from within the context of the "search" app.

nnmiller
Contributor

Just a note--I tried hexx's method in 6.6.0 and it failed with <msg type="ERROR">You do not have permission to share objects at the system level</msg> even though I was attempting it as admin.

Instead, I had to use the methods covered in the documentation on REST ACLs, involving curl.

DEAD_BEEF
Builder

Can you share what the curl command was?

EDIT: curl -k -u admin:pass https://localhost:8089/servicesNS/{user}/{app}/saved/searches/{search%20name}/acl -d owner=alice -d sharing=app

0 Karma

horsefez
SplunkTrust
SplunkTrust

@DEAD_BEEF,

I don't want to discourage you from getting your answer, but for answers that are that far back it most likely is better to just ask a new question as to try to restart the conversation.

It can also help to use @ in front of the username to notify the user that he or she was mentioned by someone somewhere on this site. @nnmiller

Regards,
pyro_wood

DEAD_BEEF
Builder

@pyro_wood Gotcha. I updated my comment with the answer for future readers.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...