Splunk Search

How to provide permissions for kvstore lookups?

spyme72
Path Finder

I am setting up permissions for kv store collections.
I tried to give permission in local.meta in my app for all the collections, but still getting

" Error in 'outputlookup' command: the lookup table ' permission denied for collection 'win-l1'" is invalid

Please let me know how to provide permissions for kvstore lookups.

local.meta
[lookups]
access = read : [ * ], write : [ admin, win-l1,win-l2 ]
1 Solution

acharlieh
Influencer

So it seems that using the web interface to create a KV Store creates the definition of the lookup, but does not actually create the backing collection. This causes the "lookup table "permission denied for collection 'name'" is invalid" error as opposed to just "lookup table 'name' is invalid" error that would indicate that the lookup definition doesn't exist. (I would log a support request asking for this messaging to be improved, as it's somewhat confusing.)

To resolve this, you also need to create (manually) a collections.conf stanza as described in the developer documentation to match to the target collection of your KV Store. From that doc "At a minimum, all you need to create a KV Store collection is the stanza name". I am not a KV Store expert, but you likely have to grant write access to the backing collection as well (given the error message that @philip.wong described above) in the corresponding .meta. and then restart splunk.

View solution in original post

splunk403
Explorer

If the kvstore exists and if you still facing the issue and the kvstore is created under default folder ,add access in default.meta

In default meta :

[ ]
access = read : [ * ], write : [ admin, win-l1,win-l2 ].

Hope this helps some one .

Thanks

0 Karma

nicolasydder
Explorer

Hi spyme,

You can manage permission in local.meta (or default.meta) via the following stanza:

[collections/mycollection]
access = read : [ * ], write : [ admin, win-l1,win-l2 ]

HtH,

yogesh_punia
New Member

Hi Nicolasdder

Thanks, This solution works fro my problem.
I had to provide write access to the kvstore I was only changing
[transforms/sample_kvstore]
access = read : [ * ], write : [ sample_kvstore_user, admin, power ]

0 Karma

acharlieh
Influencer

So it seems that using the web interface to create a KV Store creates the definition of the lookup, but does not actually create the backing collection. This causes the "lookup table "permission denied for collection 'name'" is invalid" error as opposed to just "lookup table 'name' is invalid" error that would indicate that the lookup definition doesn't exist. (I would log a support request asking for this messaging to be improved, as it's somewhat confusing.)

To resolve this, you also need to create (manually) a collections.conf stanza as described in the developer documentation to match to the target collection of your KV Store. From that doc "At a minimum, all you need to create a KV Store collection is the stanza name". I am not a KV Store expert, but you likely have to grant write access to the backing collection as well (given the error message that @philip.wong described above) in the corresponding .meta. and then restart splunk.

philip_wong
Communicator

Yes, eventually I found collections.conf was missed as you said. It's fixed.
Thanks a lot!

0 Karma

markbarber21
Path Finder

I am a Splunk Cloud customer who can not make configuration changes directly.
I was able to work around this by adding the backend collection via REST:

curl -k -u <username>:<password> -d name=<collections_name> https://<youraccountname>.splunkcloud.com:8089/servicesNS/nobody/<app-name>/storage/collections/conf...
0 Karma

woodcock
Esteemed Legend

As much as I prefer the CLI, the GUI is frequently better (harder to mess up) for setting permissions. Go to settings -> lookups and make sure that ALL 3 of your KOs (Lookup table files, Lookup definitions, and Automatic lookups) have appropriate permissions. Try "Global" first and then back down from that.

philip_wong
Communicator

I got the same problem. It didn't help to resolve the problem by adding the above local.meta.
From search.log I see the following error, surprised why admin cannot write to kvstore

07-03-2015 02:00:12.618 ERROR KVStoreLookup - Lookup failed as user 'admin' does not have access to collection 'ldap_people_kv' in app 'telco_lookups' (write: 1)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...