All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Security Essentials: Automated Introspection for Data Inventory Fails to Save Data

dav2
Loves-to-Learn
a week ago
Hi Everyone,

 

we are encountering a problem with the Automated Introspection feature for Data Inventory in Splunk Security Essentials. Although the introspection process seems to runs just fine, it fails to save the data.
On the UI, there are no error messages displayed. However the introspection process does not map any data as expected. We analyzed the situation using the development console in the browser, as Splunk does not seem to provide error messages at this point in the UI. Following are the specifics of the request and the response we received:

 

Request Details:
  • Request URL: 
https://our-splunk-instance.com/servicesNS/nobody/Splunk_Security_Essentials/storage/collections/data/data_inventory_products/batch_save
  • Request Method: 
POST​
  • Status Code: 
403 Forbidden​
 

Response Message:

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">User '[username]' with roles { [role1], [role2], ... } cannot write to the collection: /nobody/Splunk_Security_Essentials/collections/data_inventory_products { read : [ * ], write : [ admin, power ] }, export: global, owner: nobody, removable: no, modtime: [timestamp]</msg>
  </messages>
</response>

 

The error message suggests that the user [username] does not have the necessary write permissions for the specified collection. The roles assigned to this user include [role1], [role2], ..., which appear to lack the required write access. Steps we have taken so far:
 
Can anyone provide guidance on any troubleshooting steps that might resolve this issue? We are particularly interested in understanding how to grant the necessary write access to the user or roles involved.

 

Thank you in advance for your support!

 

Best regards
Labels (2)
0 Karma
Reply

livehybrid
Super Champion
a week ago

Hi @dav2 

Your user needs to have either the "power" or "admin" role in order to be able to update that KV Store Collection.

Please check if the user has one of these roles, such as "power" and see if this resolves the issue.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...