Possible bug with changing permission on source based field extraction



I just ran into the issue that I couldn't change the permission of a source based field extraction via GUI on 7.3.1.

This only happens for source based field extrations, sourcetype ones are not affected.

Clicking on the "Permissions" Link in Sharing results in an error like this:

Splunk could not retrieve permissions for resource data/props/extractions [HTTP 404]; [{'type': 'ERROR', 'text': 'Could not find object id=source%3A%3A/var/log/bar : EXTRACT-foo', 'code': None}]

Can someone confirm that issue, or is our installation maybe broken somehow? I didn't see this mentioned in the release notes of later versions...

Labels (1)


I received word from developers this bug will be fixed on version 7.2.11, 7.3.6 and 8.0.4 with a release date of 05/12/2020.

Path Finder

Is there a workaround for this?

Tags (1)
0 Karma


I can confirm, that this only happens for source based field extractions. Ones with sourcetype-based searches are not affected.

0 Karma


I have the same problem with 8.0.1. Would be interested to know if there is a solution.


I have the same problem with version It appears to me that this error occurs for any field extraction that contains a forward slash /. Did happen to get any confirmation this is a bug?

Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...