All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SavedSearches required by splunk_app_for_nix but in SA-nix

sloshburch
Splunk Employee
Splunk Employee
‎04-02-2014 09:14 AM

The SA-nix app has many savedsearches (and probably other config) that are required by splunk_app_for_nix. The default.meta export for savedsearches is system. That means that any app in my environment using <saved source="unclassified" match="error" /> will capture all of the SA-nix savedsearches.

To avoid clutter and confusion for my users, I've set SA-nix's local.meta to
[savedsearches]
export = none

Unfortunately, this means some features of splunk_app_for_nix do not work (because they can't access the config/savedsearches).

In the interim, I've created a sym link from the SA-nix/default/savedsearches.conf to the splunk_app_for_nix/local/savedsearches.conf...but I assume there's a more responsible way to implement this.

Am I missing something here on how to make this work without:
1. Confusing my users with odd searches/config
2. Editing the apps and losing such edits when a new version of the app is released

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎04-02-2014 09:22 AM

If your users have access to the Splunk App for Unix and Linux, then whether or not these saved searches live in splunk_app_for_nix or in the SA-nix, they would still see them in such an unclassified menu.

Thus, I don't understand what the problem is. If you don't want your users to see said searches, don't give them read permissions to the app.

With regard to using a symlink, I would strongly advise you against it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎04-02-2014 09:22 AM

If your users have access to the Splunk App for Unix and Linux, then whether or not these saved searches live in splunk_app_for_nix or in the SA-nix, they would still see them in such an unclassified menu.

Thus, I don't understand what the problem is. If you don't want your users to see said searches, don't give them read permissions to the app.

With regard to using a symlink, I would strongly advise you against it.

0 Karma
Reply
Solved! Jump to solution

araitz
Splunk Employee
Splunk Employee
‎04-02-2014 11:19 AM

The standard practice for supporting (SA) and technical (TA) add ons is to export to system. Moreover, the standard practice is for SA to contain any code that is required on the search head.

I still think that if you only give read permission to the unix app, SA, and TA to the users that need it, then the point is moot.

0 Karma
Reply
Solved! Jump to solution

wegscd
Contributor
‎07-23-2015 12:15 PM

point is not moot. SA-*nix saved searchs show up in navigation for other apps that use saved source="unclassified" if a user has access to both SA-*nix and the other app.

Installing SA-*nix effectively renders saved source="unclassified" useless.

0 Karma
Reply
Solved! Jump to solution

sloshburch
Splunk Employee
Splunk Employee
‎04-02-2014 10:40 AM

I think I was unclear in the initial problem statement.

Our internally created apps show all of the SA-nix savedsearches because SA-nix defines all savedsearches as "system" exported.

I've tried to resolve that by changing the savedsearch export to "none" in a local.meta. Unfortunately, this causes issues with splunk_app_for_nix which are dependent on savedsearches from SA-nix.

My understanding is that the proper design in splunk is to only export to the system if it truly will be used in ALL other apps.

If the searches required by splunk_app_for_nix were kept in splunk_app_for_nix (not SA-nix) AND use the default export (app level), then this would not be an issue.

So the challenge is: How to allow splunk_app_for_nix to access savedsearches from SA-nix without having those savedsearches appear in ALL apps unclassified lists?

I hope that's more clear but let me know if not.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...