Splunk Search

How to provide permissions for kvstore lookups?

spyme72
Path Finder

I am setting up permissions for kv store collections.
I tried to give permission in local.meta in my app for all the collections, but still getting

" Error in 'outputlookup' command: the lookup table ' permission denied for collection 'win-l1'" is invalid

Please let me know how to provide permissions for kvstore lookups.

local.meta
[lookups]
access = read : [ * ], write : [ admin, win-l1,win-l2 ]
1 Solution

acharlieh
Influencer

So it seems that using the web interface to create a KV Store creates the definition of the lookup, but does not actually create the backing collection. This causes the "lookup table "permission denied for collection 'name'" is invalid" error as opposed to just "lookup table 'name' is invalid" error that would indicate that the lookup definition doesn't exist. (I would log a support request asking for this messaging to be improved, as it's somewhat confusing.)

To resolve this, you also need to create (manually) a collections.conf stanza as described in the developer documentation to match to the target collection of your KV Store. From that doc "At a minimum, all you need to create a KV Store collection is the stanza name". I am not a KV Store expert, but you likely have to grant write access to the backing collection as well (given the error message that @philip.wong described above) in the corresponding .meta. and then restart splunk.

View solution in original post

splunk403
Explorer

If the kvstore exists and if you still facing the issue and the kvstore is created under default folder ,add access in default.meta

In default meta :

[ ]
access = read : [ * ], write : [ admin, win-l1,win-l2 ].

Hope this helps some one .

Thanks

0 Karma

nicolasydder
Explorer

Hi spyme,

You can manage permission in local.meta (or default.meta) via the following stanza:

[collections/mycollection]
access = read : [ * ], write : [ admin, win-l1,win-l2 ]

HtH,

yogesh_punia
New Member

Hi Nicolasdder

Thanks, This solution works fro my problem.
I had to provide write access to the kvstore I was only changing
[transforms/sample_kvstore]
access = read : [ * ], write : [ sample_kvstore_user, admin, power ]

0 Karma

acharlieh
Influencer

So it seems that using the web interface to create a KV Store creates the definition of the lookup, but does not actually create the backing collection. This causes the "lookup table "permission denied for collection 'name'" is invalid" error as opposed to just "lookup table 'name' is invalid" error that would indicate that the lookup definition doesn't exist. (I would log a support request asking for this messaging to be improved, as it's somewhat confusing.)

To resolve this, you also need to create (manually) a collections.conf stanza as described in the developer documentation to match to the target collection of your KV Store. From that doc "At a minimum, all you need to create a KV Store collection is the stanza name". I am not a KV Store expert, but you likely have to grant write access to the backing collection as well (given the error message that @philip.wong described above) in the corresponding .meta. and then restart splunk.

philip_wong
Communicator

Yes, eventually I found collections.conf was missed as you said. It's fixed.
Thanks a lot!

0 Karma

markbarber21
Path Finder

I am a Splunk Cloud customer who can not make configuration changes directly.
I was able to work around this by adding the backend collection via REST:

curl -k -u <username>:<password> -d name=<collections_name> https://<youraccountname>.splunkcloud.com:8089/servicesNS/nobody/<app-name>/storage/collections/conf...
0 Karma

woodcock
Esteemed Legend

As much as I prefer the CLI, the GUI is frequently better (harder to mess up) for setting permissions. Go to settings -> lookups and make sure that ALL 3 of your KOs (Lookup table files, Lookup definitions, and Automatic lookups) have appropriate permissions. Try "Global" first and then back down from that.

philip_wong
Communicator

I got the same problem. It didn't help to resolve the problem by adding the above local.meta.
From search.log I see the following error, surprised why admin cannot write to kvstore

07-03-2015 02:00:12.618 ERROR KVStoreLookup - Lookup failed as user 'admin' does not have access to collection 'ldap_people_kv' in app 'telco_lookups' (write: 1)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...