Security

Users access to rest /services/configs/conf-transforms

rdownie
Communicator

I am using Splunk to document itself within app dashboards and one of the searches I am using is | rest /services/configs/conf-transforms. Users have no trouble accessing other rest resources but when this is added, users don't have access (only admin appears to have access). The current import capabilities I have set for users are listed below, what am I missing????

Thanks, Bob

Imported capabilities:

change_own_password
get_metadata
get_typeahead
input_file
list_inputs
output_file
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
rtsearch
schedule_rtsearch
schedule_search
search

Also tried | rest /servicesNS/nobody/search/configs/conf-transforms which admin was able to access but users with settings above couldn't.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could use the btool search command supplied in the SoS app: http://apps.splunk.com/app/748/

Using that, even regular users can load a list of transforms.conf settings, you can filter by app and stanza name.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You could use the btool search command supplied in the SoS app: http://apps.splunk.com/app/748/

Using that, even regular users can load a list of transforms.conf settings, you can filter by app and stanza name.

rdownie
Communicator

Found a typo in my transfors. This worked great!!!!!
Thanks.
-Bob

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I don't think DELIMS and FIELDS are meant to be visible through the regular Splunk UI.

I've added your stanza to my etc/apps/search/local/transforms.conf and these two searches can both see it:

| rest /services/configs/conf-transforms | search title=bro-conn-2014

| btool transforms | search stanza=bro-conn-2014

That's from an admin, a regular user can not see results from rest but he can see results from btool.

0 Karma

rdownie
Communicator

this is in etc/apps/search/local/transforms.conf
it appears to only see the transforms in /etc/system/local/transforms.conf??

sample from transforms.conf
[bro-conn-2014]
DELIMS = "\t"
FIELDS = ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, proto, service, duration, orig_bytes, resp_bytes, conn_state, local_orig, missed_bytes, history, orig_pkts, orig_ip_bytes, resp_pkts, resp_ip_bytes, tunnel_parents

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Could you post an excerpt of the transforms.conf settings your admin isn't seeing?

0 Karma

rdownie
Communicator

I take that back. I can not see my transforms in the UI, even as admin. They are working.... I would guess permission issue but don't know where to look.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Odd. Over here the btool command can see custom apps, such as dbx or sideview_utils - both as admin and as a regular user.

alt text

0 Karma

rdownie
Communicator

yes they can.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Can the user access the app and the transforms configuration in it, e.g. field transforms, through the UI?

0 Karma

rdownie
Communicator

btool from the SOS app does not appear to see my app. I changed permissions on the command and can run it but it seems limited to what it can see. The transforms I am trying to see is in a custom app.
Thanks,
-Bob

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...