DBX Query

JacketPotato · ‎09-09-2020

Hi,

I am having issues with dbx queries

I created a dashboard with dbx queries, I can run the queries, dashboard displays fine for me and other admins but standard users (non admins) get "unknown search command 'dbxquery'".

I am domain admin.
I am an admin on splunk

The users having the issue

Are not domain admin
They have permission on the sql database that splunk queries

I was looking at the article that would kind of explain why it works for me (being local admin on the splunk server)
https://docs.splunk.com/Documentation/DBX/3.3.1/DeployDBX/Configuresecurityandaccesscontrols

Before using DB Connect, the logged-in user must have the ability to write to the $SPLUNK_HOME/var directory (%SPLUNK_HOME%\var on Windows hosts) and to $SPLUNK_HOME/etc/apps/splunk_app_db_connect ($SPLUNK_HOME/etc/apps/splunk_app_db_connect on Windows hosts) and its sub-directories

Am i reading this right? i have to grant read access on the splunk server directly if the dashboard user doesn't have permission to these folders? Surely i have that wrong? It can't be the case?

Thanks.

vgtk4431 · ‎09-10-2020

the users needs to have access to the custom commands "dbxquery"

settings > advanced search > search commands

you have to tweak the permissions on the command. By default, only users with the role "admin & db_connect_*" have access to the command.

Either you expand the right, or you add the user that needs to do dbxquery the role "db_connect_user"

JacketPotato · ‎09-11-2020

Thanks I'll have a look.
So the article i refer to is not relevant?

DBX Query

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...