Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to make an App, its Commands, and Lookup permissions "global"?

panovattack
Communicator
‎07-11-2017 10:48 AM

We've installed an app that initially does not install as a "global" permission. We'd like to make its resources (e.g. custom commands, lookup tables) available to other apps, especially in the context of Splunk Enterprise Security correlation searches. We've set the app to global with global read permissions as well as all its objects. The commands and lookups are still not available in other apps. We've attempted to restart the relevant search head. Any ideas on where to look for troubleshooting?

0 Karma
Reply

Grumpalot
Communicator
‎07-11-2017 11:23 AM

Hello there,
can you verify via the search below in search you can pull data from the file

| inputlookup yourfilename.csv

If you can run the above search and return results then view permissions are good. If not check Settings > Lookups > Lookup Tables Files > App Name - File Permissions

If you can search the above then verify your definitions are setup for your lookups Settings > Lookups > Lookup Definitions > App Name - Definitions / Sharing Permissions

If those are fine check your Automatic lookups Settings > Lookups > Automatic Lookups > App Name - Name / Sharing Permissions.

To verify your custom commands are working and are Global run the below search in search

| commandname

If your command does not work go to Settings > Advanced Search > Search Commands > Command Name / Sharing Permissions

0 Karma
Reply

panovattack
Communicator
‎07-12-2017 08:45 AM

The lookup definition is set to global. The def points to a KVSTORE.

I checked the permissions of the command and they are set to Global, everyone can read.

I would also note that when I try to add this app as the custom context for a correlation search, it does appear in the list of apps. It is as if the whole app is not set to Global, even though the permissions have been set that way...

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...