Solved: Users access to rest /services/configs/conf-trans...

rdownie · ‎06-24-2014

I am using Splunk to document itself within app dashboards and one of the searches I am using is | rest /services/configs/conf-transforms. Users have no trouble accessing other rest resources but when this is added, users don't have access (only admin appears to have access). The current import capabilities I have set for users are listed below, what am I missing????

Thanks, Bob

Imported capabilities:

change_own_password
get_metadata
get_typeahead
input_file
list_inputs
output_file
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
rtsearch
schedule_rtsearch
schedule_search
search

Also tried | rest /servicesNS/nobody/search/configs/conf-transforms which admin was able to access but users with settings above couldn't.

martin_mueller · ‎06-26-2014

You could use the btool search command supplied in the SoS app: http://apps.splunk.com/app/748/

Using that, even regular users can load a list of transforms.conf settings, you can filter by app and stanza name.

View solution in original post

martin_mueller · ‎06-26-2014

You could use the btool search command supplied in the SoS app: http://apps.splunk.com/app/748/

Using that, even regular users can load a list of transforms.conf settings, you can filter by app and stanza name.

rdownie · ‎07-03-2014

Found a typo in my transfors. This worked great!!!!!
Thanks.
-Bob

martin_mueller · ‎07-02-2014

I don't think DELIMS and FIELDS are meant to be visible through the regular Splunk UI.

I've added your stanza to my etc/apps/search/local/transforms.conf and these two searches can both see it:

| rest /services/configs/conf-transforms | search title=bro-conn-2014

| btool transforms | search stanza=bro-conn-2014

That's from an admin, a regular user can not see results from rest but he can see results from btool.

rdownie · ‎07-01-2014

this is in etc/apps/search/local/transforms.conf
it appears to only see the transforms in /etc/system/local/transforms.conf??

sample from transforms.conf
[bro-conn-2014]
DELIMS = "\t"
FIELDS = ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, proto, service, duration, orig_bytes, resp_bytes, conn_state, local_orig, missed_bytes, history, orig_pkts, orig_ip_bytes, resp_pkts, resp_ip_bytes, tunnel_parents

martin_mueller · ‎06-30-2014

Could you post an excerpt of the transforms.conf settings your admin isn't seeing?

rdownie · ‎06-30-2014

I take that back. I can not see my transforms in the UI, even as admin. They are working.... I would guess permission issue but don't know where to look.

martin_mueller · ‎06-26-2014

Odd. Over here the btool command can see custom apps, such as dbx or sideview_utils - both as admin and as a regular user.

rdownie · ‎06-26-2014

yes they can.

martin_mueller · ‎06-26-2014

Can the user access the app and the transforms configuration in it, e.g. field transforms, through the UI?

rdownie · ‎06-26-2014

btool from the SOS app does not appear to see my app. I changed permissions on the command and can run it but it seems limited to what it can see. The transforms I am trying to see is in a custom app.
Thanks,
-Bob

Users access to rest /services/configs/conf-transforms

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!