Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is it that on my Splunk Cloud: settings get merged into SA-IdentityManagement?

PavelP
Motivator
‎06-02-2022 07:58 AM

Environment: Splunk ES SH running in cloud (Classic experience). There are two apps for a particular sourcetype (let's call it "sourcetype-x"): 

  • TA-customer-props (the old one)
  • zzz-customer_props (the new one)

Settings > Sourcetype > sourcetype-x > edit > Advanced > adding some new extractions and evals

When I'm trying to dump all props using REST API call, I see that my settings are merged in a SA-IdentityManagement , how come?

As far I know, the SA-IdentityManagement should contain lookups only.

Is the any way to "de-configure" sourcetype-x from TA-customer-props and SA-IdentityManagement and leave it's configuration in zzz-customer_props only?

 

Labels (1)
Labels
0 Karma
Reply

PavelP
Motivator
‎06-02-2022 08:59 AM

it is a cloud environment, classic experience, so no luck with btool :-(. All what we have is an option to query /servicesNS/-/-/configs/conf-props REST endpoint

I have no doubts to solve this problem on CLI if it were on premise setup...

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-02-2022 09:09 AM

Bah. Missed the cloud part. Then I don't see another way than deleting the objects and recreating them in proper place. You can of course list all KOs from Settings -> All Configurations but recreating them will most probably be painful. You can try automating it with API but I'm not sure if developing it won't be more time-costly.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-02-2022 08:22 AM

It's hard to say what you did to your apps 🙂 Someone might have created knowledge object in the SA-IdentityManagement app. Why not? (from the technical point of view, not as a convention)

Remember that apps are mostly just directories for data. The effective config is getting merged from various small files scattered around your $SPLUNK_HOME/etc subdirectories according to the rules of precedence. See https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Wheretofindtheconfigurationfiles

 

0 Karma
Reply

PavelP
Motivator
‎06-02-2022 08:34 AM

SA-IdentityManagement is a hidden app, there are no way to just "create" KO in it using UI. This app comes with ES (actually a part of ES setup) and should not be modified by user. I can positive confirm there is no other user that could do this intentionally.

Any other ideas?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-02-2022 08:45 AM

I know that it's a part of ES but with sufficient permissions you can create KO in any app 🙂

For example:

PickleRick_0-1654184304311.png

 

Whether it should be modified or not is a completely different story.

You can of course do the btool dump of your config and see where the settings do come from (with the --debug option).

And it's just a simple matter of cut-paste if you want to move KO's between apps. Just remember that if you move a KO to another app and another KO from the same app relies on it, it might stop working properly if you have restrictive permissions.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...