Splunk Search

Why do we have the --not exporting configurations globally to system-- message?


We have this message popping out -

-- Search peer SH name has the following message: Health Check: One or more apps ("SA-cim_vladiator-master") that had previously been imported are not exporting configurations globally to system. Configuration objects not exported to system will be unavailable in Enterprise Security.

Why is it?

Tags (3)
0 Karma


Hi Daniel,

what the message says is that the knowledge objects defined inside the SA-cim_validator-master app cannot be seen from inside the Splunk Enterprise Security App, unless they are declared as "system". I assume that you have installed ES recently, which in turn activates the check for non-global objects in the health check. To resolve the "error" either remove the SA-cim_validator-master app or change the permissions of the app's knowledge objects to system. The error could also come from recent changes to the SA.../metadata/*.meta files that have in effect changed the permissions.

Best regards



Do you know if there are any other common causes for this?

I am getting the same error described above except I have three separate apps listed, none of which are SA-CIM...

I checked the first one in the GUI by going to Settings > Knowledge > All Configurations and under Permissions for all of the affected apps it's set to Global. When I open the permissions it's set so that Everyone can Read. I assume this should be sufficient.

I also checked the metadata file in local and for each type (tags, event types, transforms, props, lookups, virestates) they all have export = system.

Any ideas?

0 Karma


you will need to put this setting in the add-on's metadata/local.meta file to allow everyone read access to all the objects defined in the add-on or app by default. That would stop the messages from showing up

access = read : [ * ], write : [ admin ]
export = system

Path Finder

Thank you! Worked for me!

0 Karma


Thank you! I updated the file on the deployment server and redeployed the apps. Now the error is gone!

0 Karma

Path Finder

Is it safe to change ths setting?

0 Karma


Not always safe no.

You should be sure you want the KOs within an app to be exported system wide before you change this setting.

The doco for default.meta isn't particularly useful on this 

* By default, objects are only visible within the app in which they were created.
  To make an object available to all apps, set the object's 'export' setting to
  * export = system

Essentially if you set the default to an app to system then the when you are in another app you will still see content from this app. That can be good but it can also be bad, if the app you set to export = system has overly complex props for field extraction etc they may start to make info harder to read in another app. When you search in Splunk you are doing so through several lenses or overlays, Your user, the seacrh head itself and then the app you are in and other apps that export to system. ES is a little different on that final bit in that it only "imports" other apps if they match a whitelist/pattern.

In the case of Cim validator there isn't much to worry about but it is always worth being sure you want to actually export to system before doing so.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...