Splunk Search

Field parsing works for admin, not for general user

wegscd
Contributor

I am using DB Connect to insert some data into an index. Query 'A' inserts data in mkv format, and sourcetype 'ItimProcessCompletion'. I am putting a field in called W_EVT that has value W_EVT=ITIM_PRC_CMPLT as an additional marker.

COMPLETED=2014-08-07 11:32:32:294 GMT
REQUESTEE_NAME=
SUBJECT=
ID=3476185726252818068
PARENT_ID=0
ROOT_PROCESS_ID=3476185726252818068
W_EVT=ITIM_PRC_CMPLT
SUBMITTED=2014-08-07 11:32:32:001 GMT
SCHEDULED=2014-08-07 11:32:32:001 GMT
STARTED=2014-08-07 11:32:32:042 GMT
LASTMODIFIED=2014-08-07 11:32:32:294 GMT
NAME=logGeneratePinRequestedBy
STATE=C
RESULT_SUMMARY=SS
TYPE=CP
DESCRIPTION=
SUBJECT_SERVICE=
PARENT_ACTIVITY_ID=0
DEFINITION_ID=8439980741168683462
REQUESTER_TYPE=U
REQUESTER=eruid=wpassadm,ou=systemUser,ou=itim,ou=whirlpool,dc=com
REQUESTER_NAME=WPass Admin
PRIORITY=5
NOTIFY=1
REQUESTEE=
COMMENTS=
RESULT_DETAIL=
SUBJECT_PROFILE=
SUBJECT_ACCESS_ID=
SUBJECT_ACCESS_NAME=
SHORT_DETAIL=

I made changes to the ItimProcessCompletion sourcetypes so that mkv parsing would not break on spaces contained in fields (from etc/system/local/props.conf:)

[ItimProcessCompletion]
NO_BINARY_CHECK = 1
pulldown_type = 1
KV_MODE = none
REPORT-mkv = dbx-mkv

Query 'B' inserts data in kv format, has sourcetype 'ItimProcessStatusActive', and has W_EVT=ITIM_PRC_ACT_SNAP.

STATE=R TYPE=XA ROOT=Y PROCESS_COUNT=39 TIME=2014-08-07-07.40.00.006740 W_EVT=ITIM_PRC_ACT_SNAP

The interesting thing is I can pull up both records using search, but field parsing of the 'ItimProcessCompletion' sourcetype only takes place if I am logged in as admin; if I log in as a test user without admin or power user, none of the fields get parsed. If I am not admin, I can't query on the W_EVT=ITIM_PRC_CMPLT, and if any events of ItimProcessCompletion sourcetype get pulled up in a query, the fields contained inside are not parsed out.

Field parsing for the 'ItimProcessStatusActive' works fine for either userid.

What in Sam Hill is going on here?

0 Karma
1 Solution

wegscd
Contributor

ah, aaronkorn's answer got me started.

While everyone has read access to the sourcetype I defined, it relies on the [dbx-mkv] transform in the dbx application's transforms.conf, and that application is only accessible to people with dbx-user or admin role.

Granting the test user dbx-user role resolved the problem (but grants everyone the ability to shoot off dbquery commands, probably not what I want.

Long term fix is to change the permissions for just [transforms] in the dbx app to be

access = read : [ * ], write : [ admin, dbx_user ]

(needs testing).

Calling this one answered; thanks, aaronkorn.

View solution in original post

0 Karma

ahartge
Path Finder

I have found a workaround to this, so I can still remove the "Read" access to DBCONNECT to certain roles that I dont want hitting DB servers, but they can still use the indexed data properly.

Simply add the needed props.conf & transforms.conf entries to another /apps//local files and the extractions start to work normally again.

Hope this helps someone.

[root@splunk local]# cat props.conf

[source::...mkv_*.dbmonevt]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])
HEADER_MODE = firstline
LINE_BREAKER_LOOKBEHIND = 10000
priority = 102

[dbmon:mkv]
KV_MODE = none
REPORT-mkv = dbx-mkv
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]---91827349873-dbx-end-of-event---[\r\n])
LINE_BREAKER_LOOKBEHIND = 10000

[root@splunk local]# cat transforms.conf

[dbx-mkv]
REGEX = (?ms)^(\V+?)[ \t]*=[ \t]*(\V*)
FORMAT = $1::$2
0 Karma

wegscd
Contributor

ah, aaronkorn's answer got me started.

While everyone has read access to the sourcetype I defined, it relies on the [dbx-mkv] transform in the dbx application's transforms.conf, and that application is only accessible to people with dbx-user or admin role.

Granting the test user dbx-user role resolved the problem (but grants everyone the ability to shoot off dbquery commands, probably not what I want.

Long term fix is to change the permissions for just [transforms] in the dbx app to be

access = read : [ * ], write : [ admin, dbx_user ]

(needs testing).

Calling this one answered; thanks, aaronkorn.

0 Karma

wegscd
Contributor

long term fix doesn't work: problem persists with read access granted to * for

dbmon:mkv : REPORT-mkv
dbx-mkv
dbx_debug : EXTRACT-fields

looks like granting dbx_user is my only recourse right now.

0 Karma

aaronkorn
Splunk Employee
Splunk Employee

In the app where your props.conf is defined you will need to check your default.meta to ensure it is readable to all users and not just admin.

For example:

[]
access = read : [ * ], write : [ admin ]
export = system

Meaning allow everything in this app context to be viewable by everyone but can only be modified by the admin user. This also means that the knowledge objects in this app are shared globally for the whole system.

http://docs.splunk.com/Documentation/Splunk/6.1.2/admin/Defaultmetaconf

0 Karma

wegscd
Contributor

thank you. That props.conf is not defined in an app; it's defined in etc/system/local, and default.meta is already se tup correctly.

default.meta sez:

# System permissions

[]
access = read : [ * ], write : [ admin ]

### VIEWSTATES: even normal users should be able to create shared viewstates

[viewstates]
access = read : [ * ], write : [ * ]
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...