I have a user that wants to give me a search with references to a number of custom field extractions local to his profile.
e.g. index=cisco SLA="191" | transaction Cisco_Host maxspan=1800s
Well I have access to the same index, I can't see the results of the search since I don't know how the custom field extraction is defining SLA or Cisco_Host for example. Both he and I are minimally privileged users so I can't look at anything about his profile, is there any easy way for him to convert his search into something not reliant on any custom field extractions? i.e. He runs a search expander and then is able to send me this search so I can see his results:
e.g. index=cisco | rex field=_raw "SLA: (?\d\d\d)" | rex field=_raw "Cisco Host: (?.*) " | search SLA="191" | transaction Cisco_Host maxspan=1800s
Or do I need to get him to send me all his custom field extractions and maintain a separate copy on my account? These are probably just quick hack extractions that could change and probably aren't going to be shared globally or on any app.
I would recommend doing a field extraction at search time using the |rex
command and save the search. This would prevent you from needing to maintain a separate version of custom field extractions
The best method for sharing knowledge objects, which includes fields extraction, is to get their sharing permission changed to "App level" OR "Global/all apps". If you're not privileged users, you can work with your admin/power user in your area to get them published with proper sharing permission. This way field extractions will be easier to manage.
To add onto this.. If the Splunk admin refuses to escalate your privileges, then you can request them to make a new user role which has your current privileges and add on the field extractions to the role so your still "restricted" from doing higher level tasks but able to do what you need to do
Would there be a way for me to get access to a user's private field extractions without admin_all_objects?
Nopes. (they won't be private if someone else can access it,right?). Just ask your admin to clone the field extractions, share it within app (or global) and provide read access to your current role (which I'm getting is regular user role).
Just frustrating there's a readwrite_all_objects capability but somehow there is no read_all_objects capability.
I would recommend doing a field extraction at search time using the |rex
command and save the search. This would prevent you from needing to maintain a separate version of custom field extractions
This works. Still a bit of work to construct in this case.