Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

i can't write kvstore by a user

AlexH
Engager
‎09-21-2021 03:59 PM

hi everybody,

i used this request with the user rest-api-reportingweb , i want write ine a kvstore lookup:

| makeresults
| eval Category = "HOST Blacklist"
| eval activation = "09/15/21"
| eval target = "Un test ajout"
| eval url = "http://www.test.html"
| eval tester = "*test.html*"
| eval key=Category.tester.target
| table key,Category,activation,target,tester,url
| outputlookup t_PROXY_lookup append=True override_if_empty=false key_field=key

 

i have this error : 

Error in 'outputlookup' command: Lookup failed for collection 'Condition_List_Mcafee' in app 'Splunk_For_Cnaf_Secuteams' for user 'rest-api-reportingweb': User 'rest-api-reportingweb' with roles { rest-api-reportingweb, si_cnaf, user, wan } cannot write: /nobody/Splunk_For_Cnaf_Secuteams/collections/Condition_List_Mcafee { read : [ * ], write : [ admin, power ] }, owner: adm0-ahuli755, removable: no, modtime: 1614188730.883726000.

I give permissions in  lookup definitions for this user i cant for lookup file beause for kvstore file dont appear.

app/local/collections.conf :
[Condition_List_Mcafee]
field.Category = string
field.activation = string
field.target = string
field.tester = string
field.url = string
replicate = true

app/local/transforms.conf  :

[t_PROXY_lookup]
external_type = kvstore
collection = Condition_List_Mcafee
case_sensitive_match = true
match_type = WILDCARD(tester)
fields_list = _key,Category,url,activation,target,tester

app/metadata/local.meta

[transforms/t_PROXY_lookup]
access = read : [ * ], write : [ admin, power, rest-api-reportingweb ]
export = system
owner = nobody
version = 7.3.3
modtime = 1632255805.643188000

 app/lookups/lookup_file_backups/Splunk_For_Cnaf_Secuteams/nobody

i dont see the file in this directory 

 

What i miss ?? 

Thanks for your help 

 

best regards 

Alexandre

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...