I've completed a dashboard for my team at work, and am trying now to share it with them. Several of the dashboard panels rely on manual field extractions that I obtained with the field extractor. I have updated both the dashboard permissions and the field extraction permissions to be both read and write for my app.
My coworker logged in as himself and viewed the field extractions for our app. He can see the field extractions I created in the Field Extractions menu, so I know the sharing is working. However when he opens my dashboard, the panels say N/A. We opened those searches from his computer and found that my fields weren't being extracted in the searches, even though he was able to see the field extractions in the FE menu.
Any idea why this isn't working? Thanks so much.
i've know a similar problem which only occurs when the field extraction is generated with delimiters and not with regex. Have you used the field extraction wizard with the delimiter or with regex?
Hi Sven, I'm starting to see that pattern as well. I've extracted some fields with delimiters and some with regex. Turns out, my coworker can see the panels that use regex fields, but can't see the panels extracted with delimiters. (AKA he can see the inline extractions, but not the extractions which use transforms).
I tried to extract the delimiter fields with regex, but the field extractor wasn't able to find all of the fields. So I can't just switch methods.
I wonder why sharing the delimiter field extractions is more difficult?
The delimiter field extractions writes configs in the transforms.conf and props.conf, the reges field extractions only writes into props.conf. I think this is a problem with the transforms.conf, because this conf-File will stay in the users folder and not in the app folder. So there is the problem to access this field extractions with another user.
What you can do is to manually copy these entries out of the transforms.conf from the users folder into the transforms.conf in the app folder. But this is just a workaround, I hope Splunk will fix this problem soon.
Is there a way to make it work from the splunk GUI? mine is clustered environment and i don't even know the indexers/search heads hostnames and have absolutely no access to them. How do i solve this problem. Even if these changes needs to happen we need to copy them to search head props/transform files or to indexers, i understand it should be search head as we are talking user specific, let me know.
I have moved everything from transforms.conf from user to search app , but even after that delimiter extracted fields are not showing to me, as a admin since it was created by some another user.