Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Possible bug with changing permission on source ba...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possible bug with changing permission on source based field extraction
Hello,
I just ran into the issue that I couldn't change the permission of a source based field extraction via GUI on 7.3.1.
This only happens for source based field extrations, sourcetype ones are not affected.
Clicking on the "Permissions" Link in Sharing results in an error like this:
Splunk could not retrieve permissions for resource data/props/extractions [HTTP 404] https://127.0.0.1:8089/servicesNS/kainiels/search/data/props/extractions/source%253A%253A%252Fvar%25...; [{'type': 'ERROR', 'text': 'Could not find object id=source%3A%3A/var/log/bar : EXTRACT-foo', 'code': None}]
Can someone confirm that issue, or is our installation maybe broken somehow? I didn't see this mentioned in the release notes of later versions...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I received word from developers this bug will be fixed on version 7.2.11, 7.3.6 and 8.0.4 with a release date of 05/12/2020.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm, that this only happens for source based field extractions. Ones with sourcetype-based searches are not affected.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem with 8.0.1. Would be interested to know if there is a solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem with version 7.2.9.1. It appears to me that this error occurs for any field extraction that contains a forward slash /. Did happen to get any confirmation this is a bug?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
