Splunk Search

Why are Splunk Field alias created from Ui not visible?

Yashprime07
Explorer

So I have an application that runs as a docker container in AWS ECS Fargate, and in log configurations for the container , I have used splunk log driver , here I have used --log-opt env to let say set a variable xyz, this variable appears now in the logs under attrs.xyz but I don't want to search everytime using this , so I used field alias in the settings -> fields -> new filed aliases  and created xyz = attrs.xyz, but now I have created this field alias and I can't see it (use it to filter the search) but admin user can see this field although correct app - search was selected , and read permission to everyone was given

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Ask your admin if you have Power User or equivalent permissions to share knowledge objects.  Without such permissions, you can only create and manage your own. (Manage knowledge object permissions can give you some ideas.)

View solution in original post

0 Karma

Yashprime07
Explorer

No , just one guy with admin access is able to see it. Everyone is able to see attrs.xyz but not xyz ( which I created as field alias [xyz as attrs.xyz] ) yeah application scope is set to search and also , in permissions , global sharing are set with read access to everyone 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Ask your admin if you have Power User or equivalent permissions to share knowledge objects.  Without such permissions, you can only create and manage your own. (Manage knowledge object permissions can give you some ideas.)

0 Karma

yuanliu
SplunkTrust
SplunkTrust

A shot in the dark about "read permission to everyone was given."

  1. Does everyone see attrs.xyz?  If not, that's the first place to troubleshoot.
  2. If every one sees attrs.xyz but not xyz, can you elaborate what permissions are shown in Splunk?  If I'm not mistaken, field aliases restrict permissions by application scope, not by user group or privilege.  Is Sharing set to "Global" or is it in a specific application?
0 Karma

Yashprime07
Explorer
Thanks I had checked that but that wasn't the issue had verified all this before itself
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I'm confused.  This means that my answer is incorrect.  So the problem isn't solved.

0 Karma

Yashprime07
Explorer

Naah the answer that you posted , i shared that with the admin user and did the trick

0 Karma

Yashprime07
Explorer

Regarding knowledge objects thanks ✌️

0 Karma
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...