Solved: Re: SavedSearches required by splunk_app_for_nix b...

sloshburch · ‎04-02-2014

The SA-nix app has many savedsearches (and probably other config) that are required by splunk_app_for_nix. The default.meta export for savedsearches is system. That means that any app in my environment using <saved source="unclassified" match="error" /> will capture all of the SA-nix savedsearches.

To avoid clutter and confusion for my users, I've set SA-nix's local.meta to
[savedsearches]
export = none

Unfortunately, this means some features of splunk_app_for_nix do not work (because they can't access the config/savedsearches).

In the interim, I've created a sym link from the SA-nix/default/savedsearches.conf to the splunk_app_for_nix/local/savedsearches.conf...but I assume there's a more responsible way to implement this.

Am I missing something here on how to make this work without:
1. Confusing my users with odd searches/config
2. Editing the apps and losing such edits when a new version of the app is released

araitz · ‎04-02-2014

If your users have access to the Splunk App for Unix and Linux, then whether or not these saved searches live in splunk_app_for_nix or in the SA-nix, they would still see them in such an unclassified menu.

Thus, I don't understand what the problem is. If you don't want your users to see said searches, don't give them read permissions to the app.

With regard to using a symlink, I would strongly advise you against it.

View solution in original post

araitz · ‎04-02-2014

If your users have access to the Splunk App for Unix and Linux, then whether or not these saved searches live in splunk_app_for_nix or in the SA-nix, they would still see them in such an unclassified menu.

Thus, I don't understand what the problem is. If you don't want your users to see said searches, don't give them read permissions to the app.

With regard to using a symlink, I would strongly advise you against it.

araitz · ‎04-02-2014

The standard practice for supporting (SA) and technical (TA) add ons is to export to system. Moreover, the standard practice is for SA to contain any code that is required on the search head.

I still think that if you only give read permission to the unix app, SA, and TA to the users that need it, then the point is moot.

wegscd · ‎07-23-2015

point is not moot. SA-*nix saved searchs show up in navigation for other apps that use saved source="unclassified" if a user has access to both SA-*nix and the other app.

Installing SA-*nix effectively renders saved source="unclassified" useless.

sloshburch · ‎04-02-2014

I think I was unclear in the initial problem statement.

Our internally created apps show all of the SA-nix savedsearches because SA-nix defines all savedsearches as "system" exported.

I've tried to resolve that by changing the savedsearch export to "none" in a local.meta. Unfortunately, this causes issues with splunk_app_for_nix which are dependent on savedsearches from SA-nix.

My understanding is that the proper design in splunk is to only export to the system if it truly will be used in ALL other apps.

If the searches required by splunk_app_for_nix were kept in splunk_app_for_nix (not SA-nix) AND use the default export (app level), then this would not be an issue.

So the challenge is: How to allow splunk_app_for_nix to access savedsearches from SA-nix without having those savedsearches appear in ALL apps unclassified lists?

I hope that's more clear but let me know if not.

SavedSearches required by splunk_app_for_nix but in SA-nix

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?