Splunk Enterprise Security

How to make an App, its Commands, and Lookup permissions "global"?

Communicator

We've installed an app that initially does not install as a "global" permission. We'd like to make its resources (e.g. custom commands, lookup tables) available to other apps, especially in the context of Splunk Enterprise Security correlation searches. We've set the app to global with global read permissions as well as all its objects. The commands and lookups are still not available in other apps. We've attempted to restart the relevant search head. Any ideas on where to look for troubleshooting?

0 Karma

Communicator

Hello there,
can you verify via the search below in search you can pull data from the file

| inputlookup yourfilename.csv

If you can run the above search and return results then view permissions are good. If not check Settings > Lookups > Lookup Tables Files > App Name - File Permissions

If you can search the above then verify your definitions are setup for your lookups Settings > Lookups > Lookup Definitions > App Name - Definitions / Sharing Permissions

If those are fine check your Automatic lookups Settings > Lookups > Automatic Lookups > App Name - Name / Sharing Permissions.

To verify your custom commands are working and are Global run the below search in search

| commandname

If your command does not work go to Settings > Advanced Search > Search Commands > Command Name / Sharing Permissions

0 Karma

Communicator

The lookup definition is set to global. The def points to a KVSTORE.

I checked the permissions of the command and they are set to Global, everyone can read.

I would also note that when I try to add this app as the custom context for a correlation search, it does appear in the list of apps. It is as if the whole app is not set to Global, even though the permissions have been set that way...

0 Karma