Solved: How can we set the owner of a saved search from ad...

ddrillic · ‎11-01-2017

In the following page, we are unable to change the ownership of a saved search -

Where can we do it?

elliotproebstel · ‎11-01-2017

If you have filesystem access to the search head, you can change it in $SPLUNK_HOME/etc/apps/yourapp/metadata/local.meta.

Look for the stanza starting with [savedsearches/45%20Day%20AuthFailures] and replace owner = admin with the value of the username you would like to have own the search.

Note: After doing this, you will probably need to visit https://your.search.head/en-US/debug/refresh to make Splunk pick up the change in the config file.

View solution in original post

somesoni2 · ‎11-01-2017

Also look at the REST API method of doing the same (requirement: the current owner should be a valid user). This is helpful for SHC as well as avoids file changes and refresh/restart of Splunk.

https://answers.splunk.com/answers/295303/how-do-i-change-the-owner-of-a-saved-search-or-vie.html

ddrillic · ‎11-01-2017

Gorgeous @somesoni2.

elliotproebstel · ‎11-01-2017

If you have filesystem access to the search head, you can change it in $SPLUNK_HOME/etc/apps/yourapp/metadata/local.meta.

Look for the stanza starting with [savedsearches/45%20Day%20AuthFailures] and replace owner = admin with the value of the username you would like to have own the search.

Note: After doing this, you will probably need to visit https://your.search.head/en-US/debug/refresh to make Splunk pick up the change in the config file.

ddrillic · ‎11-01-2017

Perfect @elliotproebstel. I see it!!!

[savedsearches/<name>]
export = none
owner = admin
version = 6.5.2
modtime = 1509563343.905030000

How can we set the owner of a saved search from admin to another user?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM