Hi Everyone,
we are encountering a problem with the Automated Introspection feature for Data Inventory in Splunk Security Essentials. Although the introspection process seems to runs just fine, it fails to save the data.
On the UI, there are no error messages displayed. However the introspection process does not map any data as expected. We analyzed the situation using the development console in the browser, as Splunk does not seem to provide error messages at this point in the UI. Following are the specifics of the request and the response we received:
Request Details:
https://our-splunk-instance.com/servicesNS/nobody/Splunk_Security_Essentials/storage/collections/data/data_inventory_products/batch_save
POST
403 Forbidden
Response Message:
<?xml version="1.0" encoding="UTF-8"?>
<response>
<messages>
<msg type="ERROR">User '[username]' with roles { [role1], [role2], ... } cannot write to the collection: /nobody/Splunk_Security_Essentials/collections/data_inventory_products { read : [ * ], write : [ admin, power ] }, export: global, owner: nobody, removable: no, modtime: [timestamp]</msg>
</messages>
</response>
The error message suggests that the user [username] does not have the necessary write permissions for the specified collection. The roles assigned to this user include [role1], [role2], ..., which appear to lack the required write access. Steps we have taken so far:
Can anyone provide guidance on any troubleshooting steps that might resolve this issue? We are particularly interested in understanding how to grant the necessary write access to the user or roles involved.
Thank you in advance for your support!
Best regards
