Splunk Search

Why do we have the --not exporting configurations globally to system-- message?


We have this message popping out -

-- Search peer SH name has the following message: Health Check: One or more apps ("SA-cim_vladiator-master") that had previously been imported are not exporting configurations globally to system. Configuration objects not exported to system will be unavailable in Enterprise Security.

Why is it?

Tags (3)
0 Karma


Hi Daniel,

what the message says is that the knowledge objects defined inside the SA-cim_validator-master app cannot be seen from inside the Splunk Enterprise Security App, unless they are declared as "system". I assume that you have installed ES recently, which in turn activates the check for non-global objects in the health check. To resolve the "error" either remove the SA-cim_validator-master app or change the permissions of the app's knowledge objects to system. The error could also come from recent changes to the SA.../metadata/*.meta files that have in effect changed the permissions.

Best regards



Do you know if there are any other common causes for this?

I am getting the same error described above except I have three separate apps listed, none of which are SA-CIM...

I checked the first one in the GUI by going to Settings > Knowledge > All Configurations and under Permissions for all of the affected apps it's set to Global. When I open the permissions it's set so that Everyone can Read. I assume this should be sufficient.

I also checked the metadata file in local and for each type (tags, event types, transforms, props, lookups, virestates) they all have export = system.

Any ideas?

0 Karma


you will need to put this setting in the add-on's metadata/local.meta file to allow everyone read access to all the objects defined in the add-on or app by default. That would stop the messages from showing up

access = read : [ * ], write : [ admin ]
export = system

Path Finder

Thank you! Worked for me!

0 Karma


Thank you! I updated the file on the deployment server and redeployed the apps. Now the error is gone!

0 Karma

Path Finder

Is it safe to change ths setting?

0 Karma


Not always safe no.

You should be sure you want the KOs within an app to be exported system wide before you change this setting.

The doco for default.meta isn't particularly useful on this 

* By default, objects are only visible within the app in which they were created.
  To make an object available to all apps, set the object's 'export' setting to
  * export = system

Essentially if you set the default to an app to system then the when you are in another app you will still see content from this app. That can be good but it can also be bad, if the app you set to export = system has overly complex props for field extraction etc they may start to make info harder to read in another app. When you search in Splunk you are doing so through several lenses or overlays, Your user, the seacrh head itself and then the app you are in and other apps that export to system. ES is a little different on that final bit in that it only "imports" other apps if they match a whitelist/pattern.

In the case of Cim validator there isn't much to worry about but it is always worth being sure you want to actually export to system before doing so.

0 Karma
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...