We have this message popping out -
-- Search peer
SH name has the following message: Health Check: One or more apps ("SA-cim_vladiator-master") that had previously been imported are not exporting configurations globally to system. Configuration objects not exported to system will be unavailable in Enterprise Security.
Why is it?
what the message says is that the knowledge objects defined inside the SA-cimvalidator-master app cannot be seen from inside the Splunk Enterprise Security App, unless they are declared as "system". I assume that you have installed ES recently, which in turn activates the check for non-global objects in the health check. To resolve the "error" either remove the SA-cimvalidator-master app or change the permissions of the app's knowledge objects to system. The error could also come from recent changes to the SA.../metadata/*.meta files that have in effect changed the permissions.
Do you know if there are any other common causes for this?
I am getting the same error described above except I have three separate apps listed, none of which are SA-CIM...
I checked the first one in the GUI by going to Settings > Knowledge > All Configurations and under Permissions for all of the affected apps it's set to Global. When I open the permissions it's set so that Everyone can Read. I assume this should be sufficient.
I also checked the metadata file in local and for each type (tags, event types, transforms, props, lookups, virestates) they all have export = system.
you will need to put this setting in the add-on's metadata/local.meta file to allow everyone read access to all the objects defined in the add-on or app by default. That would stop the messages from showing up
access = read : [ * ], write : [ admin ]
export = system