Re: Possible bug with changing permission on sourc...

knielsen · ‎01-20-2020

Hello,

I just ran into the issue that I couldn't change the permission of a source based field extraction via GUI on 7.3.1.

This only happens for source based field extrations, sourcetype ones are not affected.

Clicking on the "Permissions" Link in Sharing results in an error like this:

Splunk could not retrieve permissions for resource data/props/extractions [HTTP 404] https://127.0.0.1:8089/servicesNS/kainiels/search/data/props/extractions/source%253A%253A%252Fvar%25...; [{'type': 'ERROR', 'text': 'Could not find object id=source%3A%3A/var/log/bar : EXTRACT-foo', 'code': None}]

Can someone confirm that issue, or is our installation maybe broken somehow? I didn't see this mentioned in the release notes of later versions...

darius_diederic · ‎04-30-2020

I received word from developers this bug will be fixed on version 7.2.11, 7.3.6 and 8.0.4 with a release date of 05/12/2020.

dbot2001 · ‎06-15-2020

Is there a workaround for this?

kaurinko · ‎04-30-2020

I can confirm, that this only happens for source based field extractions. Ones with sourcetype-based searches are not affected.

kaurinko · ‎04-30-2020

I have the same problem with 8.0.1. Would be interested to know if there is a solution.

darius_diederic · ‎02-13-2020

I have the same problem with version 7.2.9.1. It appears to me that this error occurs for any field extraction that contains a forward slash /. Did happen to get any confirmation this is a bug?

Possible bug with changing permission on source based field extraction

permissions

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?