I am trying to make a shared app where its knowledge objects available to everyone from all apps.
I edited shared_app/metadata/default.meta so it contains the following:
access = read : [ * ], write : [ admin, power ]
export = system
From what I have read, this should allow ANY user to read/see ANY type of knowledge object saved there from ANY app.
When I went to test this with a field extraction in the shared app I ran a search from the Search app, but the extracted field does not show up.
So I went to the permissions for the field extraction and changed it from private to this app only thinking that maybe it just had to be moved out from my user directory into the app's directory. I still could not see it from the Search app. So I set it to global and then it showed up in the Search app. I am trying to avoid having to explicitly set each object as global (to reduce the time/effort when creating a new object but more importantly because non-admins will have write access to the app and this is how they will make objects global without being an admin.)
I thought export = system in default.meta would have been good enough to make it effectively global. But in my testing it is not the case. What am I doing wrong?
if you want to make all field extractions global (instead of everything), you can instead put:
into the file. Then all items configured in that app's props and transforms files (which includes lookups as well as field extractions, but not tags or inputs for example) will be global (other than ones specifically set to a lower sharing level).
I was intending to make everything global (this app's purpose is to curate global objects among different groups using Splunk - most will be field extractions but there may be a few other types of objects.)
In order to get the field extraction working I had already tried adding the following to default.meta:
(It is just an inline field extraction, so there is no transforms.conf in the app)
I am curious about your last statement "will be global (other than ones specifically set to a lower sharing level)" The field extraction I am testing is not configured as global itself, I am trying to make it global along with everything else in the app without explicitly setting each object as global.
If I am understanding things correctly, with this config in place, none of the field extractions effectively have a "lower sharing level" / should be not global (private or shared only within the app.)
Since each app has its own default.meta file, there might be precedence issue. Try pasting the same configurations in
local.meta file in same location as default.meta and see if it fixes the issue.
I gave it a try just now but that did not get it working. I added it to the app's metadata.local and restarted Splunk. The extracted field still only shows up in the app it was created in.