Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to make an App, its Commands, and Lookup permissions "global"?

panovattack
Communicator
‎07-11-2017 10:48 AM

We've installed an app that initially does not install as a "global" permission. We'd like to make its resources (e.g. custom commands, lookup tables) available to other apps, especially in the context of Splunk Enterprise Security correlation searches. We've set the app to global with global read permissions as well as all its objects. The commands and lookups are still not available in other apps. We've attempted to restart the relevant search head. Any ideas on where to look for troubleshooting?

0 Karma
Reply

Grumpalot
Communicator
‎07-11-2017 11:23 AM

Hello there,
can you verify via the search below in search you can pull data from the file

| inputlookup yourfilename.csv

If you can run the above search and return results then view permissions are good. If not check Settings > Lookups > Lookup Tables Files > App Name - File Permissions

If you can search the above then verify your definitions are setup for your lookups Settings > Lookups > Lookup Definitions > App Name - Definitions / Sharing Permissions

If those are fine check your Automatic lookups Settings > Lookups > Automatic Lookups > App Name - Name / Sharing Permissions.

To verify your custom commands are working and are Global run the below search in search

| commandname

If your command does not work go to Settings > Advanced Search > Search Commands > Command Name / Sharing Permissions

0 Karma
Reply

panovattack
Communicator
‎07-12-2017 08:45 AM

The lookup definition is set to global. The def points to a KVSTORE.

I checked the permissions of the command and they are set to Global, everyone can read.

I would also note that when I try to add this app as the custom context for a correlation search, it does appear in the list of apps. It is as if the whole app is not set to Global, even though the permissions have been set that way...

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...