Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change the permissions of a saved search from the CLI

sadon
Explorer
‎07-27-2012 10:52 AM

I add a new saved search by CLI splunk:

./splunk add saved-search -search 'ERROR*' -name 'ERROR chart' -schedule '0 * * * *' -alert true

and by default I have a permission 'Keep private'

how to edit or add with

- 'This app only (search)',
- 'All apps'

permissions? without usage GUI.

Tags (4)
Reply

DEAD_BEEF
Builder
‎02-06-2019 10:17 AM

Solution working in Splunk v7.0
To change an existing report permissions from private to sharing

curl -k -u admin:pass https://localhost:8089/servicesNS/{user}/{app}/saved/searches/{search%20name}/acl -d owner={user} -d sharing=app
0 Karma
Reply

hexx
Splunk Employee
Splunk Employee
‎07-27-2012 01:18 PM

If you cannot use the UI at all, you'll need to POST to the /servicesNS/{user}/{app}/saved/searches/{search name}/acl REST API endpoint and update the value of the sharing key in the eai:acl properties from "user" to "app" or "global".

In the example below, I am changing the sharing property from "user" to "app" for a saved search named "_internal errors - last 15 minutes" which is private and belongs to user "odisciullo" in app "search":

$SPLUNK_HOME/bin/splunk _internal call '/servicesNS/odisciullo/search/saved/searches/_internal%20errors%20-%20last%2015%20minutes/acl' -post:owner odisciullo -post:sharing app

After this change, any user can run that saved search from within the context of the "search" app.

Reply

nnmiller
Contributor
‎08-02-2017 12:43 PM

Just a note--I tried hexx's method in 6.6.0 and it failed with <msg type="ERROR">You do not have permission to share objects at the system level</msg> even though I was attempting it as admin.

Instead, I had to use the methods covered in the documentation on REST ACLs, involving curl.

Reply

DEAD_BEEF
Builder
‎02-06-2019 08:33 AM

Can you share what the curl command was?

EDIT: curl -k -u admin:pass https://localhost:8089/servicesNS/{user}/{app}/saved/searches/{search%20name}/acl -d owner=alice -d sharing=app

0 Karma
Reply

horsefez
SplunkTrust
SplunkTrust
‎02-06-2019 08:47 AM

@DEAD_BEEF,

I don't want to discourage you from getting your answer, but for answers that are that far back it most likely is better to just ask a new question as to try to restart the conversation.

It can also help to use @ in front of the username to notify the user that he or she was mentioned by someone somewhere on this site. @nnmiller

Regards,
pyro_wood

Reply

DEAD_BEEF
Builder
‎02-06-2019 10:15 AM

@pyro_wood Gotcha. I updated my comment with the answer for future readers.

0 Karma
Reply
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...