Splunk Search

Why are Splunk Field alias created from Ui not visible?

Yashprime07
Explorer

So I have an application that runs as a docker container in AWS ECS Fargate, and in log configurations for the container , I have used splunk log driver , here I have used --log-opt env to let say set a variable xyz, this variable appears now in the logs under attrs.xyz but I don't want to search everytime using this , so I used field alias in the settings -> fields -> new filed aliases  and created xyz = attrs.xyz, but now I have created this field alias and I can't see it (use it to filter the search) but admin user can see this field although correct app - search was selected , and read permission to everyone was given

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Ask your admin if you have Power User or equivalent permissions to share knowledge objects.  Without such permissions, you can only create and manage your own. (Manage knowledge object permissions can give you some ideas.)

View solution in original post

0 Karma

Yashprime07
Explorer

No , just one guy with admin access is able to see it. Everyone is able to see attrs.xyz but not xyz ( which I created as field alias [xyz as attrs.xyz] ) yeah application scope is set to search and also , in permissions , global sharing are set with read access to everyone 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Ask your admin if you have Power User or equivalent permissions to share knowledge objects.  Without such permissions, you can only create and manage your own. (Manage knowledge object permissions can give you some ideas.)

0 Karma

yuanliu
SplunkTrust
SplunkTrust

A shot in the dark about "read permission to everyone was given."

  1. Does everyone see attrs.xyz?  If not, that's the first place to troubleshoot.
  2. If every one sees attrs.xyz but not xyz, can you elaborate what permissions are shown in Splunk?  If I'm not mistaken, field aliases restrict permissions by application scope, not by user group or privilege.  Is Sharing set to "Global" or is it in a specific application?
0 Karma

Yashprime07
Explorer
Thanks I had checked that but that wasn't the issue had verified all this before itself
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I'm confused.  This means that my answer is incorrect.  So the problem isn't solved.

0 Karma

Yashprime07
Explorer

Naah the answer that you posted , i shared that with the admin user and did the trick

0 Karma

Yashprime07
Explorer

Regarding knowledge objects thanks ✌️

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...