Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

i can't write kvstore by a user

AlexH
Engager
‎09-21-2021 03:59 PM

hi everybody,

i used this request with the user rest-api-reportingweb , i want write ine a kvstore lookup:

| makeresults
| eval Category = "HOST Blacklist"
| eval activation = "09/15/21"
| eval target = "Un test ajout"
| eval url = "http://www.test.html"
| eval tester = "*test.html*"
| eval key=Category.tester.target
| table key,Category,activation,target,tester,url
| outputlookup t_PROXY_lookup append=True override_if_empty=false key_field=key

 

i have this error : 

Error in 'outputlookup' command: Lookup failed for collection 'Condition_List_Mcafee' in app 'Splunk_For_Cnaf_Secuteams' for user 'rest-api-reportingweb': User 'rest-api-reportingweb' with roles { rest-api-reportingweb, si_cnaf, user, wan } cannot write: /nobody/Splunk_For_Cnaf_Secuteams/collections/Condition_List_Mcafee { read : [ * ], write : [ admin, power ] }, owner: adm0-ahuli755, removable: no, modtime: 1614188730.883726000.

I give permissions in  lookup definitions for this user i cant for lookup file beause for kvstore file dont appear.

app/local/collections.conf :
[Condition_List_Mcafee]
field.Category = string
field.activation = string
field.target = string
field.tester = string
field.url = string
replicate = true

app/local/transforms.conf  :

[t_PROXY_lookup]
external_type = kvstore
collection = Condition_List_Mcafee
case_sensitive_match = true
match_type = WILDCARD(tester)
fields_list = _key,Category,url,activation,target,tester

app/metadata/local.meta

[transforms/t_PROXY_lookup]
access = read : [ * ], write : [ admin, power, rest-api-reportingweb ]
export = system
owner = nobody
version = 7.3.3
modtime = 1632255805.643188000

 app/lookups/lookup_file_backups/Splunk_For_Cnaf_Secuteams/nobody

i dont see the file in this directory 

 

What i miss ?? 

Thanks for your help 

 

best regards 

Alexandre

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...