topic Re: Sharing search with custom field extraction in Splunk Search

Sharing search with custom field extraction

kaufmanm — Tue, 29 Sep 2020 10:28:01 GMT

I have a user that wants to give me a search with references to a number of custom field extractions local to his profile.

e.g. index=cisco SLA="191" | transaction Cisco_Host maxspan=1800s

Well I have access to the same index, I can't see the results of the search since I don't know how the custom field extraction is defining SLA or Cisco_Host for example. Both he and I are minimally privileged users so I can't look at anything about his profile, is there any easy way for him to convert his search into something not reliant on any custom field extractions? i.e. He runs a search expander and then is able to send me this search so I can see his results:

e.g. index=cisco | rex field=_raw "SLA: (?\d\d\d)" | rex field=_raw "Cisco Host: (?.*) " | search SLA="191" | transaction Cisco_Host maxspan=1800s

Or do I need to get him to send me all his custom field extractions and maintain a separate copy on my account? These are probably just quick hack extractions that could change and probably aren't going to be shared globally or on any app.

Re: Sharing search with custom field extraction

skoelpin — Wed, 03 Aug 2016 15:28:50 GMT

I would recommend doing a field extraction at search time using the |rex command and save the search. This would prevent you from needing to maintain a separate version of custom field extractions

Re: Sharing search with custom field extraction

somesoni2 — Wed, 03 Aug 2016 16:37:04 GMT

The best method for sharing knowledge objects, which includes fields extraction, is to get their sharing permission changed to "App level" OR "Global/all apps". If you're not privileged users, you can work with your admin/power user in your area to get them published with proper sharing permission. This way field extractions will be easier to manage.

Re: Sharing search with custom field extraction

skoelpin — Wed, 03 Aug 2016 18:13:01 GMT

To add onto this.. If the Splunk admin refuses to escalate your privileges, then you can request them to make a new user role which has your current privileges and add on the field extractions to the role so your still "restricted" from doing higher level tasks but able to do what you need to do

Re: Sharing search with custom field extraction

kaufmanm — Tue, 29 Sep 2020 10:28:09 GMT

Would there be a way for me to get access to a user's private field extractions without admin_all_objects?

Re: Sharing search with custom field extraction

somesoni2 — Wed, 03 Aug 2016 20:38:32 GMT

Nopes. (they won't be private if someone else can access it,right?). Just ask your admin to clone the field extractions, share it within app (or global) and provide read access to your current role (which I'm getting is regular user role).

Re: Sharing search with custom field extraction

kaufmanm — Tue, 29 Sep 2020 10:28:11 GMT

Just frustrating there's a readwrite_all_objects capability but somehow there is no read_all_objects capability.

Re: Sharing search with custom field extraction

kaufmanm — Wed, 03 Aug 2016 20:49:22 GMT

This works. Still a bit of work to construct in this case.