Splunk Search

How to provide permissions for kvstore lookups?

Path Finder

I am setting up permissions for kv store collections.
I tried to give permission in local.meta in my app for all the collections, but still getting

" Error in 'outputlookup' command: the lookup table ' permission denied for collection 'win-l1'" is invalid

Please let me know how to provide permissions for kvstore lookups.

local.meta
[lookups]
access = read : [ * ], write : [ admin, win-l1,win-l2 ]
1 Solution

Influencer

So it seems that using the web interface to create a KV Store creates the definition of the lookup, but does not actually create the backing collection. This causes the "lookup table "permission denied for collection 'name'" is invalid" error as opposed to just "lookup table 'name' is invalid" error that would indicate that the lookup definition doesn't exist. (I would log a support request asking for this messaging to be improved, as it's somewhat confusing.)

To resolve this, you also need to create (manually) a collections.conf stanza as described in the developer documentation to match to the target collection of your KV Store. From that doc "At a minimum, all you need to create a KV Store collection is the stanza name". I am not a KV Store expert, but you likely have to grant write access to the backing collection as well (given the error message that @philip.wong described above) in the corresponding .meta. and then restart splunk.

View solution in original post

Explorer

If the kvstore exists and if you still facing the issue and the kvstore is created under default folder ,add access in default.meta

In default meta :

[ ]
access = read : [ * ], write : [ admin, win-l1,win-l2 ].

Hope this helps some one .

Thanks

0 Karma

Explorer

Hi spyme,

You can manage permission in local.meta (or default.meta) via the following stanza:

[collections/mycollection]
access = read : [ * ], write : [ admin, win-l1,win-l2 ]

HtH,

New Member

Hi Nicolasdder

Thanks, This solution works fro my problem.
I had to provide write access to the kvstore I was only changing
[transforms/sample_kvstore]
access = read : [ * ], write : [ sample_kvstore_user, admin, power ]

0 Karma

Influencer

So it seems that using the web interface to create a KV Store creates the definition of the lookup, but does not actually create the backing collection. This causes the "lookup table "permission denied for collection 'name'" is invalid" error as opposed to just "lookup table 'name' is invalid" error that would indicate that the lookup definition doesn't exist. (I would log a support request asking for this messaging to be improved, as it's somewhat confusing.)

To resolve this, you also need to create (manually) a collections.conf stanza as described in the developer documentation to match to the target collection of your KV Store. From that doc "At a minimum, all you need to create a KV Store collection is the stanza name". I am not a KV Store expert, but you likely have to grant write access to the backing collection as well (given the error message that @philip.wong described above) in the corresponding .meta. and then restart splunk.

View solution in original post

Communicator

Yes, eventually I found collections.conf was missed as you said. It's fixed.
Thanks a lot!

0 Karma

Path Finder

I am a Splunk Cloud customer who can not make configuration changes directly.
I was able to work around this by adding the backend collection via REST:

curl -k -u <username>:<password> -d name=<collections_name> https://<youraccountname>.splunkcloud.com:8089/servicesNS/nobody/<app-name>/storage/collections/conf...
0 Karma

Esteemed Legend

As much as I prefer the CLI, the GUI is frequently better (harder to mess up) for setting permissions. Go to settings -> lookups and make sure that ALL 3 of your KOs (Lookup table files, Lookup definitions, and Automatic lookups) have appropriate permissions. Try "Global" first and then back down from that.

Communicator

I got the same problem. It didn't help to resolve the problem by adding the above local.meta.
From search.log I see the following error, surprised why admin cannot write to kvstore

07-03-2015 02:00:12.618 ERROR KVStoreLookup - Lookup failed as user 'admin' does not have access to collection 'ldap_people_kv' in app 'telco_lookups' (write: 1)

0 Karma