All Apps and Add-ons

SavedSearches required by splunk_app_for_nix but in SA-nix

sloshburch
Splunk Employee
Splunk Employee

The SA-nix app has many savedsearches (and probably other config) that are required by splunk_app_for_nix. The default.meta export for savedsearches is system. That means that any app in my environment using <saved source="unclassified" match="error" /> will capture all of the SA-nix savedsearches.

To avoid clutter and confusion for my users, I've set SA-nix's local.meta to
[savedsearches]
export = none

Unfortunately, this means some features of splunk_app_for_nix do not work (because they can't access the config/savedsearches).

In the interim, I've created a sym link from the SA-nix/default/savedsearches.conf to the splunk_app_for_nix/local/savedsearches.conf...but I assume there's a more responsible way to implement this.

Am I missing something here on how to make this work without:
1. Confusing my users with odd searches/config
2. Editing the apps and losing such edits when a new version of the app is released

0 Karma
1 Solution

araitz
Splunk Employee
Splunk Employee

If your users have access to the Splunk App for Unix and Linux, then whether or not these saved searches live in splunk_app_for_nix or in the SA-nix, they would still see them in such an unclassified menu.

Thus, I don't understand what the problem is. If you don't want your users to see said searches, don't give them read permissions to the app.

With regard to using a symlink, I would strongly advise you against it.

View solution in original post

0 Karma

araitz
Splunk Employee
Splunk Employee

If your users have access to the Splunk App for Unix and Linux, then whether or not these saved searches live in splunk_app_for_nix or in the SA-nix, they would still see them in such an unclassified menu.

Thus, I don't understand what the problem is. If you don't want your users to see said searches, don't give them read permissions to the app.

With regard to using a symlink, I would strongly advise you against it.

0 Karma

araitz
Splunk Employee
Splunk Employee

The standard practice for supporting (SA) and technical (TA) add ons is to export to system. Moreover, the standard practice is for SA to contain any code that is required on the search head.

I still think that if you only give read permission to the unix app, SA, and TA to the users that need it, then the point is moot.

0 Karma

wegscd
Contributor

point is not moot. SA-*nix saved searchs show up in navigation for other apps that use saved source="unclassified" if a user has access to both SA-*nix and the other app.

Installing SA-*nix effectively renders saved source="unclassified" useless.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

I think I was unclear in the initial problem statement.

Our internally created apps show all of the SA-nix savedsearches because SA-nix defines all savedsearches as "system" exported.

I've tried to resolve that by changing the savedsearch export to "none" in a local.meta. Unfortunately, this causes issues with splunk_app_for_nix which are dependent on savedsearches from SA-nix.

My understanding is that the proper design in splunk is to only export to the system if it truly will be used in ALL other apps.

If the searches required by splunk_app_for_nix were kept in splunk_app_for_nix (not SA-nix) AND use the default export (app level), then this would not be an issue.

So the challenge is: How to allow splunk_app_for_nix to access savedsearches from SA-nix without having those savedsearches appear in ALL apps unclassified lists?

I hope that's more clear but let me know if not.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...