Getting Data In

Role capabilities to change Event Type permissions through REST api

dolxor
Path Finder

Hello.

I'm creating an Event Type like this;

curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes \
    -d name="incident_1" \
    --data-urlencode search=search="src_ip=10.0.0.1 sig_id=10001"

My RESTUser is a member of one role, the 'REST_API_User' which has the following capabilities;

rest_apps_management
rest_apps_view
rest_properties_get
rest_properties_set

Then I want to change this Event Type from a private Event Type to an App-wide Event Type. I do this also through the REST API;

curl -k -u RESTUser:RESTPass https://localhost:8089/servicesNS/RESTUser/search/saved/eventtypes/incident_1/acl \
    -d perms.read=* \
    -d perms.write=* \
    -d sharing=app \
    -d owner=RESTUser

However, now I am denied this action with the following error message;

<?xml version="1.0" encoding="UTF-8"?>
<response>
  <messages>
    <msg type="ERROR">User 'RESTUser' with roles { restuser, rest_api_user } cannot write: /nobody/search/eventtypes/incident_1 { read : [ * ], write : [ admin, power ] }, export: global, removable: no</msg>
  </messages>
</response>
  1. Why does it want to write to /nobody/search/...? I spesificially told it to update RESTUser/search/saved/eventtypes/incident_1 - No mention of /nobody/ ..
  2. Why does it say write : [ admin, power ] - is this the default permission when creating an Event Type?
  3. I even tried to add inheritance to the role REST_API_User, to inherit the role "user", but still no luck. If I login to the GUI with the role User added to me I do not see the "Permissions" link behind the "Sharing Private" for the line of this Event Type.
  4. If I add the RESTUser with admin role - everything works nicely.

I am confused as what to do, as I don't want to give a system admin access to my Splunk just to add and update EventType ACL's. Isn't there a way to create an Event Type and simultaneously set the permissions? It seems to default be set to [ admin, power ].

Any advice out there?

gkanapathy
Splunk Employee
Splunk Employee

In addition to all the roles and the event type, you must have write permission to the parent app.

dolxor
Path Finder

Hello. I will try to give RESTUser write to the app.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Get Agentic with Splunk Lantern: Connect to Cisco Cloud Control, Transform ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

July Community Events: Master ITSI 5.0 & Automate Splunk

Struggling with alert fatigue or feeling like you're spending more time on infrastructure maintenance than ...

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...