Security

Possible bug with changing permission on source based field extraction

knielsen
Contributor

Hello,

I just ran into the issue that I couldn't change the permission of a source based field extraction via GUI on 7.3.1.

This only happens for source based field extrations, sourcetype ones are not affected.

Clicking on the "Permissions" Link in Sharing results in an error like this:

Splunk could not retrieve permissions for resource data/props/extractions [HTTP 404] https://127.0.0.1:8089/servicesNS/kainiels/search/data/props/extractions/source%253A%253A%252Fvar%25...; [{'type': 'ERROR', 'text': 'Could not find object id=source%3A%3A/var/log/bar : EXTRACT-foo', 'code': None}]

Can someone confirm that issue, or is our installation maybe broken somehow? I didn't see this mentioned in the release notes of later versions...

Labels (1)

darius_diederic
Engager

I received word from developers this bug will be fixed on version 7.2.11, 7.3.6 and 8.0.4 with a release date of 05/12/2020.

dbot2001
Path Finder

Is there a workaround for this?

Tags (1)
0 Karma

kaurinko
Path Finder

I can confirm, that this only happens for source based field extractions. Ones with sourcetype-based searches are not affected.

0 Karma

kaurinko
Path Finder

I have the same problem with 8.0.1. Would be interested to know if there is a solution.

darius_diederic
Engager

I have the same problem with version 7.2.9.1. It appears to me that this error occurs for any field extraction that contains a forward slash /. Did happen to get any confirmation this is a bug?

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...