- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to provide permissions for kvstore lookups?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am setting up permissions for kv store collections.
I tried to give permission in local.meta in my app for all the collections, but still getting
" Error in 'outputlookup' command: the lookup table ' permission denied for collection 'win-l1'" is invalid
Please let me know how to provide permissions for kvstore lookups.
local.meta
[lookups]
access = read : [ * ], write : [ admin, win-l1,win-l2 ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it seems that using the web interface to create a KV Store creates the definition of the lookup, but does not actually create the backing collection. This causes the "lookup table "permission denied for collection 'name'" is invalid" error as opposed to just "lookup table 'name' is invalid" error that would indicate that the lookup definition doesn't exist. (I would log a support request asking for this messaging to be improved, as it's somewhat confusing.)
To resolve this, you also need to create (manually) a collections.conf stanza as described in the developer documentation to match to the target collection of your KV Store. From that doc "At a minimum, all you need to create a KV Store collection is the stanza name". I am not a KV Store expert, but you likely have to grant write access to the backing collection as well (given the error message that @philip.wong described above) in the corresponding .meta. and then restart splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the kvstore exists and if you still facing the issue and the kvstore is created under default folder ,add access in default.meta
In default meta :
[ ]
access = read : [ * ], write : [ admin, win-l1,win-l2 ].
Hope this helps some one .
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi spyme,
You can manage permission in local.meta (or default.meta) via the following stanza:
[collections/mycollection]
access = read : [ * ], write : [ admin, win-l1,win-l2 ]
HtH,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Nicolasdder
Thanks, This solution works fro my problem.
I had to provide write access to the kvstore I was only changing
[transforms/sample_kvstore]
access = read : [ * ], write : [ sample_kvstore_user, admin, power ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it seems that using the web interface to create a KV Store creates the definition of the lookup, but does not actually create the backing collection. This causes the "lookup table "permission denied for collection 'name'" is invalid" error as opposed to just "lookup table 'name' is invalid" error that would indicate that the lookup definition doesn't exist. (I would log a support request asking for this messaging to be improved, as it's somewhat confusing.)
To resolve this, you also need to create (manually) a collections.conf stanza as described in the developer documentation to match to the target collection of your KV Store. From that doc "At a minimum, all you need to create a KV Store collection is the stanza name". I am not a KV Store expert, but you likely have to grant write access to the backing collection as well (given the error message that @philip.wong described above) in the corresponding .meta. and then restart splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, eventually I found collections.conf was missed as you said. It's fixed.
Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am a Splunk Cloud customer who can not make configuration changes directly.
I was able to work around this by adding the backend collection via REST:
curl -k -u <username>:<password> -d name=<collections_name> https://<youraccountname>.splunkcloud.com:8089/servicesNS/nobody/<app-name>/storage/collections/conf...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As much as I prefer the CLI, the GUI is frequently better (harder to mess up) for setting permissions. Go to settings -> lookups and make sure that ALL 3 of your KOs (Lookup table files, Lookup definitions, and Automatic lookups) have appropriate permissions. Try "Global" first and then back down from that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got the same problem. It didn't help to resolve the problem by adding the above local.meta.
From search.log I see the following error, surprised why admin cannot write to kvstore
07-03-2015 02:00:12.618 ERROR KVStoreLookup - Lookup failed as user 'admin' does not have access to collection 'ldap_people_kv' in app 'telco_lookups' (write: 1)
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
