Security

Could not update saved search permission

hochit
Path Finder

When I tried to change my saved search from private to shared, I got this error msg.

Splunk could not update permissions for resource saved/searches [{'text': 'Cannot overwrite existing app object', 'code': None, 'type': 'ERROR'}]

What's the best way to debug and fix this?

Tags (2)
0 Karma
1 Solution

hochit
Path Finder

I got the solution myself, probably because of integrity problem after I changed savedsearches.conf

Should check etc/apps/search/metadata/local.meta

Working now 🙂

View solution in original post

chuckg
Engager

I ran into this error while trying to migrate a report from "Private" to "App"
(Search) visibility, allowing other users to access the report.

After validating the problem was not:

  • An existing report in Search application with the same name
  • The fileysystem permissions were correct (ie: files owned by Splunk process)

--

In my case, the problem was that there was an old definition of a report with
the same name still referenced in the search applications local.meta that
was owned by another user, causing Splunk to think that I was trying overwrite
another users' report. It was resolved by removing the bad definition from the
local.meta, refreshing the Splunk configuration, then going about the
permission modification as normal.

In the examples below, the example will use the following information:

  • Splunk application: Search
  • Report name: Example Report
  • Original report owner user: originee
  • New report owner creator/user: newbee

Before fixing the problem, you need to validate the report no longer exists
for the previous user:

$ cd $SPLUNK_HOME/etc
$ egrep -R "Example.*Report" *

# Example output
apps/search/metadata/local.meta:[savedsearches/Example%20Report]         <-- orphaned report meta
users/newbee/search/metadata/local.meta:[savedsearches/Example%20Report] <-- new report meta
users/newbee/search/local/savedsearches.conf:[Example Report]            <-- new report

If the saved search under the "Search" app is indeed orphaned, your output
should look very similar to the example above.

Now that you've indentified the search as orphaned, we need to remove the
reference to it from the "Search" application metadata:

$ vim $SPLUNK_HOME/etc/apps/search/metadata/local.meta 

# Find the stanza and remove it:
[savedsearches/Example%20Report]
owner = origineee                   <-- note it's owned by the original user
version = 6.0

Refresh the Splunk configuration by visiting the /debug/refresh endpoint on
your. Finally, modify the permissions on your report without an error.

hochit
Path Finder

I got the solution myself, probably because of integrity problem after I changed savedsearches.conf

Should check etc/apps/search/metadata/local.meta

Working now 🙂

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...