Splunk Search

Sharing field extractions with two Apps and another role

mortf
Explorer

I'm having some issues when trying to share KO (field extractions) with other roles and users.
I have field extractions which reside in props.conf and transforms.conf for App A.
What I want to do is share these extractions with role B. Role B only have access to an app called App B.

So the question:
Is it possible to share the field extraction from app A with role B, so that when role B does a search in app B they will see the field extractions?

I have tried the following:

Settings -> Fields -> Field extractions -> found the correct props stanza for the field extractions and checked "all apps" and given read permission for role B.
Same procedure for "field transformations" and the corresponding transforms stanza.

When a user with role B logs in they still can't see the fields even though the extraction was set to "global" and they have read access to them.

Local.meta then looks something like this:

[transforms/REPORT-csv_A]
access = read : [ admin, B ], write : [ admin ]
export = system
owner = admin

[props/somesourcetype/REPORT-csv_A]
access = read : [ admin, B ], write : [ admin ]
export = system
owner = admin

[]
access = read : [ admin ], write : [ admin ]
export = none    

Then I tried to share "all" KO's, and not only the field extractions by editing app A and selecting "All apps" for "Set permissions for configurations that have been copied over or added to config files rather than created through the UI.
Objects defined in config files only (not in the UI) should appear in"

Resulting in the following change in the local.meta:

[]
access = read : [ admin ], write : [ admin ]
export = system    

And this actually works. Having shared ALL KO's a user with role B can search in app B and get the field extractions from app A.

So I'm struggling to understand why the sharing of only filed extraction is not working? Does anyone have any ideas as to what is happening? Have I forgotten something?

I might also add that the default.meta in app A looks like this:

[app/ui]
version = 7.2.3
modtime = x

[app/launcher]
version = 7.2.3
modtime = x

[]
access = read : [ * ], write : [ admin ]

### EVENT TYPES

[eventtypes]
export = system


### PROPS

[props]
export = system


### TRANSFORMS

[transforms]
export = system


### LOOKUPS

[lookups]
export = system


### VIEWSTATES: even normal users should be able to create shared viewstates

[viewstates]
access = read : [ * ], write : [ * ]
export = system

And that giving "read" access to app A for role B also works. Role B can then search in app B and still get all the field extractions from app A. The problem with this one is that app A is also visible to role B, which I do not want.

One more small detail:
The sourcetype used is defined in app A default/props.conf.
Could this be why it is working when sharing ALL KO's (also sharing the sourcetype in default)?

0 Karma

woodcock
Esteemed Legend

This should work PROVIDED you do not have any typos. What the search head on restart and see what it complains about. Also check the ownership of the files; maybe some are owned by root and doing nothing; to fix do this:

chown -R splunk: /opt/splunk*
0 Karma

harsmarvania57
Ultra Champion

Hi,

To share KO of app A with role B user (Who has access to app B) , you need to share app A as Global app and you need to provide read permission to role B user. Until and unless you provide role B to access app A, role B user can't see anything inside app A.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...