Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change permissions for a job through the REST API/Python SDK?

chrishartsock
Path Finder
‎07-11-2018 12:32 PM

I am doing some automation in which I am running some searches through the API, and if any results are found, it emails the link to the job to some users. Everything works as desired except for the fact that, by default, jobs are private so the users do not have access. Is there anyway to programatically change the read permissions to everyone for a job?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adauria_splunk
Splunk Employee
Splunk Employee
‎07-17-2018 12:33 PM

Here are a couple ideas from my colleagues:

Go into the UI and change a search job permissions (either “share” or “extend job lifetime”) and then check splunkd_rest_access.log around the same time (index=_internal source= splunkd_rest_access.log) and see how the UI uses REST to make the change. Splunk Web is simply a front end for the REST API, so if it can be done there it can be done in the API – the trick is seeing how the UI does it (which that search should help you with).

You can also just try to modify the eai:acl.perms.read, eai:acl.perms.write, or eai:acl.sharing properties via a /services/search/jobs/{search_id} POST

Please let us know if either of these lead you to the answer.

View solution in original post

Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎07-18-2018 06:19 AM

I think the answer is at EAI response data cause there's a sharing parameter. Other than that, I thought it was possible to change permissions but done in the same way as any other Knowledge Object and not specific to searches...if that helps.

Reply
Solved! Jump to solution
Solution

adauria_splunk
Splunk Employee
Splunk Employee
‎07-17-2018 12:33 PM

Here are a couple ideas from my colleagues:

Go into the UI and change a search job permissions (either “share” or “extend job lifetime”) and then check splunkd_rest_access.log around the same time (index=_internal source= splunkd_rest_access.log) and see how the UI uses REST to make the change. Splunk Web is simply a front end for the REST API, so if it can be done there it can be done in the API – the trick is seeing how the UI does it (which that search should help you with).

You can also just try to modify the eai:acl.perms.read, eai:acl.perms.write, or eai:acl.sharing properties via a /services/search/jobs/{search_id} POST

Please let us know if either of these lead you to the answer.

Reply
Solved! Jump to solution

chrishartsock
Path Finder
‎07-18-2018 11:12 AM

You and @SloshBurch both hit it. I was able to hit https://myserver:8089/services/search/jobs/search_id/acl with a payload of:
perms.read: *
sharing: global

That seemed to do the trick.

Thanks!

0 Karma
Reply
Solved! Jump to solution

adauria_splunk
Splunk Employee
Splunk Employee
‎07-17-2018 01:51 PM

Sorry, splunkd_access will show you the REST calls

0 Karma
Reply
Solved! Jump to solution

chrishartsock
Path Finder
‎07-17-2018 01:29 PM

Does anything special have to be done to enable logging into the splunkd_rest_access.log? I cannot find it. I have searched the _internal index as well as looked in /opt/splunk/var/log/splunk/ on our search head.
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...