I've scoured the net trying to figure out how to create a saved search via the Splunk Python SDK and change user to "nobody" to place it in the global visibility realm. I've successfully been able to create the search using the SDK documentation, but have hit a wall when it comes to changing the owner of the search.
I know this can be done easily using cURL, but that's not supported by Python or the SDK and I'm trying to avoid external calls. There have been several answers to this, but many of them our outdated with libraries that are no longer supported.
Currently I'm trying to use the requests library in Python with the following code. While I am able to perform a get with successfully the post is met with a 403 error. I think my issue is with the post command, but I'm just not sure.
def modify_perms(ss):
url = "https://localhost:8089/servicesNS/%s/search/saved/searches/%s/acl" % ("api", ss)
response = requests.post(url, auth=('api', 'password'), verify=False, data="owner=nobody")
print response.status_code
modify_perms("Test")
Here is what I have used, it may help you solve your situation. If it does please accept the answer/up vote if appropriate !
Here is a script I've used to re-own items on the command line (it's a mass re-own but the calls provide hints of which REST endpoints you will need to hit to do what you want to do):
#!/bin/sh
if [ $# -lt 1 ]; then
echo "Please pass in the username to work on"
echo "Please pass in a 2nd argument to actually run otherwise this runs in debug mode"
fi
debugMode="true"
if [ $# -eq 2 ]; then
debugMode="false"
fi
username="$1"
newOwner="admin"
grep -R $username /opt/splunk/etc/* | grep -v "\.js" | grep -E "\.meta|\.conf" | cut -d ":" -f1 | sort | uniq > /tmp/allFilesFoundToReown.txt
for aFile in `cat /tmp/allFilesFoundToReown.txt`; do
echo $aFile
#Hardcoding because /opt/splunk/etc/apps/<appName>
app=`echo $aFile | cut -d "/" -f 6`
#Extract the lines for [views/...] or similar and combine it with the "owner = " line somewhere below it if it should exist
#Then remove the [ ] around the view/props/savedsearch
grep -E "^\[|owner" $aFile | sed -e ':a' -e 'N' -e '$!ba' -e 's/\nowner/ owner/g' | grep $username | cut -d "]" -f1 | cut -d "[" -f2 > /tmp/allEntitiesToReown.txt
#For each entity we have to reown them
for entity in `cat /tmp/allEntitiesToReown.txt`; do
entityType=`echo $entity | cut -d "/" -f1`
entityName=`echo $entity | cut -d "/" -f2`
entityName2=`echo $entity | cut -d "/" -f3`
if [ "$entityType" = "savedsearches" ] ; then
echo "Saved search"
sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1`
echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
if [ $debugMode = "false" ]; then
$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/saved/searches/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
fi
elif [ "$entityType" = "views" ] ; then
echo "view type"
sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1`
echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
if [ $debugMode = "false" ]; then
$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/ui/views/$entityName/acl" -post:owner $newOwner -post:sharing $sharing
fi
#Props are 3 level deep
elif [ "$entityType" = "props" ] ; then
echo "props type"
echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2"
sharing=`$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2" | grep sharing | cut -d ">" -f2 | cut -d "<" -f1`
echo $SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2/acl" -post:owner $newOwner -post:sharing $sharing
if [ $debugMode = "false" ]; then
$SPLUNK_HOME/bin/splunk _internal call "/servicesNS/$newOwner/$app/data/props/extractions/$entityName%20%3A%20$entityName2/acl" -post:owner $newOwner -post:sharing $sharing
fi
fi
done
done
Here's another script that I've written in python and partially borrowed from online articles:
import urllib
import urllib2
import ssl
import base64
#Send a request using a POST command to the required URL
#SSL checking is disabled due to use of the self-signed certificates
def sendrequest(values, server, url):
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
data = urllib.urlencode(values)
req = urllib2.Request(server + url, data)
req.add_header("Authorization", "Basic %s" % base64string)
response = urllib2.urlopen(req, context=ctx)
the_page = response.read()
I then do something similar to:
#Splunk username/password
username = "yourusername"
password = "yourpassword"
base64string = base64.encodestring('%s:%s' % (username, password)).replace('\n', '')
server = "https://localhost:8089/"
#Start by creating the connection, the identity already exists
url = "/servicesNS/nobody/splunkapp/endpoint"
#Actually send the request
sendrequest(values, server, url)
Hope that helps...