About theprophet01

theprophet01

Hello Splunkers, I've created a custom role with very basic capabilities enabled. The capability "edit_own_objects" has been disabled. For some reason the user is able to clone reports as well as save searches as reports. Also the user is able to access "New Report" button when clicking Settings->Searches,Reports,Alerts. I thought disabling edit_own_object capability would prevent the user from creating any objects, but it is not the case. I've made sure the user only has read access to the app as well. Any help of suggestions would be appreciated! Thanks!

theprophet01

Update @ITWhisperer you got me in the right direction. I was able to find the following article: https://docs.splunk.com/Documentation/ITSI/4.19.0/Configure/CustomRoles and was able to resolve the issue by including the new custom role under KV store collections: itsi_services itsi_teams By using the following the steps: Step 4: Assign the role KV store collection level access The SA-ITOA file includes default entries in metadata/default.meta that determine access to KV store collections for ITSI roles. For a list of default permissions to KV store collections for ITSI roles, see KV store collection permissions in ITSI. By default, only the itoa_admin role has read/write/delete access to all ITSI KV store collections. Set permissions to KV store collections in Splunk Web In Splunk Web, go to Settings > All configurations. Set the App to IT Service Intelligence (itsi). Set the Owner to Any. Make sure Visible in the App is selected. Filter by collections-conf to only display KV store collections. For a specific view, click Permissions in the Sharing column. Check the boxes to grant read and write permissions to the various collections for ITSI roles. Click Save. This action updates KV store access permissions for the specific ITSI roles in $SPLUNK_HOME/etc/apps/SA-ITOA/metadata/local.meta. Set permissions to KV store collections from the command line Create a local.meta file in the SA-ITOA/metadata/ directory. cd $SPLUNK_HOME/etc/apps/SA-ITOA/metadata cp default.meta local.meta Edit SA-ITOA/metadata/local.meta . Set access for specific roles in local.meta. For example: [collections/itsi_services] access = read : [ itoa_admin, itoa_analyst, itoa_user ], write: [ itoa_admin ]

theprophet01

Hi @ITWhisperer , thanks for reaching out, as part of my test the ITSI app permissions are set to read and write for "Everyone". Also an app called ITOA Backend with folder name SA-ITOA has the same permissions set.

theprophet01

Hello Splunkers, I have question, I'm trying to configure a custom role in Splunk where I'm assigning capabilities natively. I'm recreating the default capabilities assigned to User in Splunk Enterprise and itoa_user in Splunk ITSI without using the inheritance option (doing this as a test so I can later remove capabilities as I need to). The problem I have is that once I save the role with all 65 matching capabilities selected and login as the testuser assigned to that role, dashboards that use the "getservice" command in their searches do not work and display the following error: [subsearch]: command="getservice", [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/SA-ITOA/storage/collections/config/itsi_team This issue does not happen when I simply select Inherit capabilities for User and itoa_user. Any ideas as to what could be causing this issue? I'm running splunk version 9.1.1

theprophet01 · ‎04-29-2024

thanks @danspav ! that is very helpful!

theprophet01 · ‎04-16-2024

Hello! I would like to run a search which would display all information regarding entities and services. For example, for Entities where could I find information stored for: Entity Description, Entity Information Field, Entity Title. For Services, where could I find information stored for: Service Description, Service Title, Service Tags What type of search query could I run to find this information? Thanks,

theprophet01 · ‎04-15-2024

Hello Fellow Splunkers, I'm fairly new to ITSI and was wondering if this could be achieved. I 'm looking to create a report which would allow me to list all Services I have in ITSI along with their associated entities as well as list associated alerts or severity. Is there a query that could achieve this? any pointers are very much appreciated! Also any pointers where I could potentially find the data and bring it together in a search would be very helpful too. Thanks!

theprophet01 · ‎04-05-2024

this is perfect, thanks @spavin !

theprophet01 · ‎04-04-2024

I'm looking to export Service from Splunk ITSI however, there is no direct export feature in the GUI (at least within the Services page). Is there any other way to export ITSI services?

theprophet01 · ‎09-20-2023

Hello! I am using Splunk Enterprise Security app and whenever I access Security Posture Dashboard, the panels for both Top Notable Events and Top Notable Event Sources, are very small. I am only able to see 2 or 3 events at most and have to scroll up and down within the panel to see the rest of events. Is there any way to modify the panel size so that all top notable events are displayed without having to scroll within the small panel area? In previous versions, this panel used properly display at least 10 events without having to use any type of scrolling. Same issue happens with both chrome and microsoft edge browsers. Any help would be very much appreciated, Thanks!

theprophet01 · ‎08-29-2023

That worked perfect! I also used the 5 min scheduled search as suggested using a cron schedule. Thank you @gcusello you sir are indeed a legend!

theprophet01 · ‎08-28-2023

-I am running an alert which is not triggering email actions when using real-time option. The alert is used to search for hosts which have not sent logs in the last 5 minutes. -For example, I shut down a host for testing and wait 5 minutes. I then manually use the search string and specify time frame (e.g. last 15 minutes)- I am able to obtain results. However, even though the same search was configured in the form of an alert running in real time, it produces no results nor does it trigger an email. Here is the search I am using: index=* | stats max(_time) as latest by host | eval recent= if(latest > relative_time(now(),"-5m"),1,0). realLatest = strftime(latest, "%Y-%M-%D %H%M%S") | fields - latest | where recent = 0 | rename host AS Host, realLatest AS "Latest Timestamp" | table Host, "Latest Timestamp"

Posts	12
Solutions	1
Karma Given	7
Karma Received	0
Member Since	‎06-22-2022

Online Status	Offline
Date Last Visited	yesterday

User able to create reports although edit_own_obje...

[subsearch]: command="getservice", [HTTP 403] Clie...

ITSI how to obtain the same information found in g...

ITSI query to generate a list of Services with the...

Is it possible to export ITSI Services?

Security Posture Dashboard - Top Notable events pa...

Why is Alert action not triggering when using real...

User able to create reports although edit_own_obje...

Re: [subsearch]: command="getservice", [HTTP 403] ...