Splunk Search

Why is there an issue with Enterprise Security access for lookups created by DB Connect?

AlexeySh
Communicator

Hello,

We have an issue with the access to lookup tables generated by Splunk DB Connect. The tables are shared for all apps and everyone has a read access to it.

alt text

But when we try to call for those lookups from Enterprise Security we have an error “The lookup table 'xxx.csv' does not exist or is not available.” At the same time, the lookups are perfectly usable from Search & Reportings.

Could you tell please what we doing wrong?

Thanks for the help.

Regards,
Alex.

1 Solution

jkat54
SplunkTrust
SplunkTrust

See “importing add ons with different naming convention” here:

https://docs.splunk.com/Documentation/ES/5.1.0/Install/ImportCustomApps

In ESS you have to edit a regular expression that tells ESS which apps to import.

View solution in original post

jkat54
SplunkTrust
SplunkTrust

See “importing add ons with different naming convention” here:

https://docs.splunk.com/Documentation/ES/5.1.0/Install/ImportCustomApps

In ESS you have to edit a regular expression that tells ESS which apps to import.

AlexeySh
Communicator

Hello @jkat54

Yep, that's exactly what I had to do.

Thanks for the help!

Alex.

pdaigle_splunk
Splunk Employee
Splunk Employee

Assuming you are using the dbxlookup command or dbxquery command, you need to go to the "manage app" page and select "View objects for the DB Connect app. On that page, you will see dbxlookup, dbxquery, etc. and will need to make sure Sharing is set to Global for this capability. I think that might be the issue, especially if you are using those commands.

0 Karma

AlexeySh
Communicator

Hello @pdaigle_splunk

You're right, we use dbxquery command. But it is already global.
But thanks for your answer and for your time!

The real cause was discribed by @jkat54

0 Karma

pdaigle_splunk
Splunk Employee
Splunk Employee

Hello @AlexeySh.....no worries....glad you were able to get an answer.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...