Security
Highlighted

Users access to rest /services/configs/conf-transforms

Communicator

I am using Splunk to document itself within app dashboards and one of the searches I am using is | rest /services/configs/conf-transforms. Users have no trouble accessing other rest resources but when this is added, users don't have access (only admin appears to have access). The current import capabilities I have set for users are listed below, what am I missing????

Thanks, Bob

Imported capabilities:

changeownpassword
getmetadata
get
typeahead
inputfile
list
inputs
outputfile
request
remotetok
rest
appsview
rest
propertiesget
rest
propertiesset
rtsearch
schedule
rtsearch
schedule_search
search

Also tried | rest /servicesNS/nobody/search/configs/conf-transforms which admin was able to access but users with settings above couldn't.

0 Karma
Highlighted

Re: Users access to rest /services/configs/conf-transforms

SplunkTrust
SplunkTrust

You could use the btool search command supplied in the SoS app: http://apps.splunk.com/app/748/

Using that, even regular users can load a list of transforms.conf settings, you can filter by app and stanza name.

View solution in original post

Highlighted

Re: Users access to rest /services/configs/conf-transforms

Communicator

btool from the SOS app does not appear to see my app. I changed permissions on the command and can run it but it seems limited to what it can see. The transforms I am trying to see is in a custom app.
Thanks,
-Bob

0 Karma
Highlighted

Re: Users access to rest /services/configs/conf-transforms

SplunkTrust
SplunkTrust

Can the user access the app and the transforms configuration in it, e.g. field transforms, through the UI?

0 Karma
Highlighted

Re: Users access to rest /services/configs/conf-transforms

Communicator

yes they can.

0 Karma
Highlighted

Re: Users access to rest /services/configs/conf-transforms

SplunkTrust
SplunkTrust

Odd. Over here the btool command can see custom apps, such as dbx or sideview_utils - both as admin and as a regular user.

alt text

0 Karma
Highlighted

Re: Users access to rest /services/configs/conf-transforms

Communicator

I take that back. I can not see my transforms in the UI, even as admin. They are working.... I would guess permission issue but don't know where to look.

0 Karma
Highlighted

Re: Users access to rest /services/configs/conf-transforms

SplunkTrust
SplunkTrust

Could you post an excerpt of the transforms.conf settings your admin isn't seeing?

0 Karma
Highlighted

Re: Users access to rest /services/configs/conf-transforms

Communicator

this is in etc/apps/search/local/transforms.conf
it appears to only see the transforms in /etc/system/local/transforms.conf??

sample from transforms.conf
[bro-conn-2014]
DELIMS = "\t"
FIELDS = ts, uid, id.origh, id.origp, id.resph, id.respp, proto, service, duration, origbytes, respbytes, connstate, localorig, missedbytes, history, origpkts, origipbytes, resppkts, respipbytes, tunnelparents

0 Karma
Highlighted

Re: Users access to rest /services/configs/conf-transforms

SplunkTrust
SplunkTrust

I don't think DELIMS and FIELDS are meant to be visible through the regular Splunk UI.

I've added your stanza to my etc/apps/search/local/transforms.conf and these two searches can both see it:

| rest /services/configs/conf-transforms | search title=bro-conn-2014

| btool transforms | search stanza=bro-conn-2014

That's from an admin, a regular user can not see results from rest but he can see results from btool.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.