Archive

Sharing search with custom field extraction

kaufmanm
Communicator

I have a user that wants to give me a search with references to a number of custom field extractions local to his profile.

e.g. index=cisco SLA="191" | transaction Cisco_Host maxspan=1800s

Well I have access to the same index, I can't see the results of the search since I don't know how the custom field extraction is defining SLA or Cisco_Host for example. Both he and I are minimally privileged users so I can't look at anything about his profile, is there any easy way for him to convert his search into something not reliant on any custom field extractions? i.e. He runs a search expander and then is able to send me this search so I can see his results:

e.g. index=cisco | rex field=_raw "SLA: (?\d\d\d)" | rex field=_raw "Cisco Host: (?.*) " | search SLA="191" | transaction Cisco_Host maxspan=1800s

Or do I need to get him to send me all his custom field extractions and maintain a separate copy on my account? These are probably just quick hack extractions that could change and probably aren't going to be shared globally or on any app.

1 Solution

skoelpin
SplunkTrust
SplunkTrust

I would recommend doing a field extraction at search time using the |rex command and save the search. This would prevent you from needing to maintain a separate version of custom field extractions

View solution in original post

somesoni2
Revered Legend

The best method for sharing knowledge objects, which includes fields extraction, is to get their sharing permission changed to "App level" OR "Global/all apps". If you're not privileged users, you can work with your admin/power user in your area to get them published with proper sharing permission. This way field extractions will be easier to manage.

skoelpin
SplunkTrust
SplunkTrust

To add onto this.. If the Splunk admin refuses to escalate your privileges, then you can request them to make a new user role which has your current privileges and add on the field extractions to the role so your still "restricted" from doing higher level tasks but able to do what you need to do

0 Karma

kaufmanm
Communicator

Would there be a way for me to get access to a user's private field extractions without admin_all_objects?

0 Karma

somesoni2
Revered Legend

Nopes. (they won't be private if someone else can access it,right?). Just ask your admin to clone the field extractions, share it within app (or global) and provide read access to your current role (which I'm getting is regular user role).

0 Karma

kaufmanm
Communicator

Just frustrating there's a readwrite_all_objects capability but somehow there is no read_all_objects capability.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I would recommend doing a field extraction at search time using the |rex command and save the search. This would prevent you from needing to maintain a separate version of custom field extractions

View solution in original post

kaufmanm
Communicator

This works. Still a bit of work to construct in this case.

0 Karma