- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to change saved search permissions via python ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
I am looking for a way to change permissions to a saved search via splunk python SDK.
I tried using the splunklib.client post method:
import splunklib.client as client
app = "app_name"
cred = {"user": "admin", "password": "changeme", "port": 8089, "host": "localhost","owner":"admin"}
service = client.connect(app=app,**cred)
service.post('saved/searches/report_name/acl', sharing="app" )
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 238, in wrapper
return request_fun(self, *args, **kwargs)
File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 62, in new_f
val = f(*args, **kwargs)
File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 657, in post
response = self.http.post(path, all_headers, **query)
File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 1089, in post
return self.request(url, message)
File "/usr/lib/python2.6/site-packages/splunk_sdk-1.2.3-py2.6.egg/splunklib/binding.py", line 1109, in request
raise HTTPError(response)
splunklib.binding.HTTPError: HTTP 404 Not Found --
In handler 'savedsearch': Could not find object id=report_name
When i try using curl i get no problem:
curl -k -u admin:changeme https://localhost:8089/servicesNS/admin/app_name/saved/searches/report_name/acl -d sharing=app
Maybe i am doing something wrong? Or maybe there is other way to do it and i am missing it?
Regards,
Dori
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't find a way to do with the splunklib.client object, but i was able to pass it using the answer to this question (see @flynt answer):
Note - Flynt answer is working but the URL there is wrong (or apply to older splunk version). See my comments there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You had the right idea to post to /acl, but you need to urlencode the parameters.
The following creates a new EventType then changes the permissions afterwards. There does not appear to be a way to assign the roles with the initial create method. The "/acl" link can be derived from links in the returned Stanza object.
from urllib.parse import urlencode
newperms = { "perms.read": "role name 1,role name 2, role name 3",
"perms.write": "role name 1, role name 2",
"sharing": "app", "owner": "nobody"
}
newet = sdk.confs["eventtypes"].create("test_event_type",sharing="app",app="custom_app")
sdk.post("%s/%s" % (newet.links["alternate"], "acl"), body=urlencode(newperms))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't find a way to do with the splunklib.client object, but i was able to pass it using the answer to this question (see @flynt answer):
Note - Flynt answer is working but the URL there is wrong (or apply to older splunk version). See my comments there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your comment @dorilevy, however that example does indeed include the correct URL.
"https://localhost:8089/servicesNS/%s/search/saved/searches/%s/acl" % ("admin", ss)
request = urllib2.Request( url )
It's important to remember the app context the saved search resides in otherwise you will run into an issue where the saved search is not found. For example if I had an app named "MYAPP" and a saved search named "MYSEARCH" the url should reflect that.
https://localhost:8089/servicesNS/admin/MYAPP/saved/searches/MYSEARCH/acl
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @flynt,
You are correct. i missed the app context (my app is not search, that is why i thought it is mistake). Sorry about it, and again - thanks for the solution.
Dori
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
