Splunk Search

Create field extractions without the capability admin_all_objects

cesarb
Path Finder

Hi,

my customer wants to create field extractions for the whole app. For this he need the permission admin_all_objects, but i don't want to give him this permission, because he shouldn't have access to all other apps. Is there a other way, that he can create extractions for his app? When he create first private extractions and switch the permissions from private to app, other users cant see this.

Thank you for any help!

goelli
Communicator

We opened a case for this problem (1175734). There is a quite simple workaroud for this (if you know about it):
Just add the following code to etc/system/local/restmap.conf:

[eai:conf-transforms] 
capability.write=allow_access_to_all

But the problem is also filed as a bug: SPL-162527

0 Karma

duartet
Path Finder

The app needs to be shares globally before you can share you extractions globally too.

0 Karma

dsbruce
Explorer

We had the same issue with version 6.6.5 for a poweruser using delimited field extracts.
The user had the same fields extracted as regex.

They removed the regex field extracts and then was able to save the field extractions as delimited.
So the issue looks like something with the same fields being extracted by a different method.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

admin_all_objects is not necessary to share knowledge objects such as field extractions within an app, only write permissions for the app are required. Edit permissions of that app to grant write permissions to a role, then users of that role can share KOs within that app. Once KOs are shared within an app, other users can use those KOs while they're in that app themselves.

If other users can't see those KOs then either that user isn't in the right app, or the KO's permissions were restricted to other roles.

martin_mueller
SplunkTrust
SplunkTrust

If you're doing delimiter-based extraction you're actually creating a transforms.conf entry, not just a field extraction - never tried to do that through the UI ¯\(ツ)

cesarb
Path Finder

But when he want to create Extract Fields on delimiters, there comes the error, that he need this permission.
The app gives the write permission to the role of this user too. And the other users have the same roles and are in the same app.

I dont know what i can do now.

0 Karma
Get Updates on the Splunk Community!

Edge Processor | New Resiliency Improvements & Support for Additional Data Sources

We are excited to announce several exciting updates for Edge Processor aimed at hardening overall product ...

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...