Splunk Search

Are there inherited properties/restrictions when using collect to copy from one index to another?

fatsug
Communicator

We were presented with a situation where non-admin users needed access to Splunk license data from the _internal index, though to whom we can not grant admin access/access to the _internal index.

The solution we came up with was to generate a new index and use a scheduled report/search using collect to move only license event to this new index and give access to the new index on a role-basis appropriate for these users. This did not work as the users with roles who should have read access to this index cannot see any events, only admin can and I am struggling to figure out why.

This is the basic search used to copy events:

index=_internal source=*license_usage.log type=Usage | collect index="collect_license"

is scheduled to run every 15 min collecting data for the past 15 min.

The report is set to Display for App with read access granted to Everyone. The job runs, collect does "copy" data to the new index where admin users can search the index. However, the other roles with access to the index cannot.

We cannot see, or find any indications of restrictions on the "stash" sourcetype in the documentation, online or in our environment. Users have a role-based access to this new index though for some reason are not allowed access to events in the index turning up empty results when searching.

So I hit a wall here,  I see no reason why the intended users lack access to events in the new index. The only thing left I can imagine is if there is any inherited property included when "extracting" and "copying" using collect maintaining some restriction from the source index.

Any information and/or suggestions that could help solve this would be greatly appreciated

 

 

Labels (1)
Tags (1)
0 Karma

PickleRick
Ultra Champion

Question is if the users don't see any raw events in the collect_license index or do you have any searches/reports that are not working on that index.

That's because by default the sourcetype is changed to "stash" for collected events and thus your field extractions from the source sourcetype (ugly wording, I know) won't work.

Other possible issue is that the time of events might change. Though the docs say "If you apply the collect command to events that do not have timestamps, the command designates a time for all of the events using the earliest (or minimum) time of the search range", I find it not entirely true. For example, I did a simple

index=winevents earliest=-1d@d latest=@d | collect index=test2

on my home splunk free installation and even though original events had the timestamp set, I got all events in destination index timestamped at current time (2021-12-17T16:06:41.000+01:00).

So your events might also be getting timestamped at wrong point in time.

 

0 Karma

fatsug
Communicator

Thank you @PickleRick for the prompt feedback

The users see no events, _raw or tohetwise regardles of time-frame.

(I did notice the missing fields so I just made some rex extractions for them to get the fields they need.)

Timestaps seem OK

BTW, excellent username

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...