Splunk Search

Why are Splunk Field alias created from Ui not visible?

Yashprime07
Explorer

So I have an application that runs as a docker container in AWS ECS Fargate, and in log configurations for the container , I have used splunk log driver , here I have used --log-opt env to let say set a variable xyz, this variable appears now in the logs under attrs.xyz but I don't want to search everytime using this , so I used field alias in the settings -> fields -> new filed aliases  and created xyz = attrs.xyz, but now I have created this field alias and I can't see it (use it to filter the search) but admin user can see this field although correct app - search was selected , and read permission to everyone was given

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

Ask your admin if you have Power User or equivalent permissions to share knowledge objects.  Without such permissions, you can only create and manage your own. (Manage knowledge object permissions can give you some ideas.)

View solution in original post

0 Karma

Yashprime07
Explorer

No , just one guy with admin access is able to see it. Everyone is able to see attrs.xyz but not xyz ( which I created as field alias [xyz as attrs.xyz] ) yeah application scope is set to search and also , in permissions , global sharing are set with read access to everyone 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Ask your admin if you have Power User or equivalent permissions to share knowledge objects.  Without such permissions, you can only create and manage your own. (Manage knowledge object permissions can give you some ideas.)

0 Karma

yuanliu
SplunkTrust
SplunkTrust

A shot in the dark about "read permission to everyone was given."

  1. Does everyone see attrs.xyz?  If not, that's the first place to troubleshoot.
  2. If every one sees attrs.xyz but not xyz, can you elaborate what permissions are shown in Splunk?  If I'm not mistaken, field aliases restrict permissions by application scope, not by user group or privilege.  Is Sharing set to "Global" or is it in a specific application?
0 Karma

Yashprime07
Explorer
Thanks I had checked that but that wasn't the issue had verified all this before itself
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I'm confused.  This means that my answer is incorrect.  So the problem isn't solved.

0 Karma

Yashprime07
Explorer

Naah the answer that you posted , i shared that with the admin user and did the trick

0 Karma

Yashprime07
Explorer

Regarding knowledge objects thanks ✌️

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...