Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create field extractions without the capability admin_all_objects

cesarb
Path Finder
‎01-02-2018 02:48 AM

Hi,

my customer wants to create field extractions for the whole app. For this he need the permission admin_all_objects, but i don't want to give him this permission, because he shouldn't have access to all other apps. Is there a other way, that he can create extractions for his app? When he create first private extractions and switch the permissions from private to app, other users cant see this.

Thank you for any help!

Reply

goelli
Communicator
‎11-13-2018 08:50 AM

We opened a case for this problem (1175734). There is a quite simple workaroud for this (if you know about it):
Just add the following code to etc/system/local/restmap.conf:

[eai:conf-transforms] 
capability.write=allow_access_to_all

But the problem is also filed as a bug: SPL-162527

0 Karma
Reply

duartet
Path Finder
‎09-21-2018 03:07 AM

The app needs to be shares globally before you can share you extractions globally too.

0 Karma
Reply

dsbruce
Explorer
‎03-20-2018 01:23 PM

We had the same issue with version 6.6.5 for a poweruser using delimited field extracts.
The user had the same fields extracted as regex.

They removed the regex field extracts and then was able to save the field extractions as delimited.
So the issue looks like something with the same fields being extracted by a different method.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-02-2018 02:58 AM

admin_all_objects is not necessary to share knowledge objects such as field extractions within an app, only write permissions for the app are required. Edit permissions of that app to grant write permissions to a role, then users of that role can share KOs within that app. Once KOs are shared within an app, other users can use those KOs while they're in that app themselves.

If other users can't see those KOs then either that user isn't in the right app, or the KO's permissions were restricted to other roles.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-02-2018 07:41 AM

If you're doing delimiter-based extraction you're actually creating a transforms.conf entry, not just a field extraction - never tried to do that through the UI ¯\(ツ)

Reply

cesarb
Path Finder
‎01-02-2018 03:17 AM

But when he want to create Extract Fields on delimiters, there comes the error, that he need this permission.
The app gives the write permission to the role of this user too. And the other users have the same roles and are in the same app.

I dont know what i can do now.

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...