Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Difficulty Locating Newly Added Calculated Field (Eval)

Ismail_BSA
Path Finder
‎04-26-2024 03:10 PM

Hello,

I recently encountered an issue with Splunk Cloud. After creating a new eval in the "Fields" menu under "calculated fields," named 'src' for the source type "my_source_type," I adjusted the permissions to make it readable and writable for my role, with app permissions set to all apps. However, upon saving these permissions, the eval disappeared, and I couldn't locate it anywhere.

Thinking it might not have saved properly, I attempted to recreate it with the same name and source type. However, when I tried to adjust the permissions, I received a red error banner stating: "Splunk could not update permissions for resource data/props/calcfields [HTTP 409] [{'type': 'ERROR', 'code': None, 'text': 'Cannot overwrite existing app object'}]"

Any recommendations on where I should search to locate the initially created eval that seems to have gone missing?

Thank you.

Labels (2)
Labels
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎04-27-2024 01:29 AM

Hi @Ismail_BSA 

you can use following restcall to find caluclated fields created by you 


| rest splunk_server=local services/data/props/calcfields/  | search author = <yourid> | table attribute field.name eai:acl.app author eai:acl.sharing

 

----
Regards,
Sanjay Reddy

----
If this reply helps you, Karma would be appreciated

Reply

Ismail_BSA
Path Finder
‎04-29-2024 06:17 AM

Hi @SanjayReddy 

 

Thank you for your reply.

 

Unfortunatelly, this is not working since your proposed commend will display the same fields as in the menu Fields>calculated fields. I think the issue is more related to the authorisations.  I am 100% sure that I allowed my role to read/write the newly created varaible. But I can't find it.

 

Regards.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...