Security

Sharing field extraction, saved search or dashboard between users

Eldad
Explorer

Hi,

If a user defines a field extraction, saved search or dashboard, will those be available to other users with the same role?

Thanks!

Tags (2)
0 Karma

ewoo
Splunk Employee
Splunk Employee

User-defined field extractions, saved searches, and dashboards are NOT available to other users by default, even users of the same role. In order to make an object visible to others, the creator must share it to an app and grant read permission to the desired roles.

This can be done in Manager by clicking the Permissions link next to an object.

For more information, please refer to the docs

ewoo
Splunk Employee
Splunk Employee

that I dont know. How would I change the permissions on the associated transform?

Settings > Fields > Field transformations > yourtransform > Permissions

(Sidenote: I recreated this comment as a new "thread". Adding new comments to the existing thread doesn't seem to be working ...)

0 Karma

ewoo
Splunk Employee
Splunk Employee

If you can't find "yourtransform" in the "Field transformations" listing, it might be worth looking at the field extraction directly, to see what transform it references -- Settings > Fields > Field extractions > jmetter_logs : REPORT-LoadTest1

0 Karma

shawnbeard
Explorer

@ewoo Under Extractions/Transform all it says is REPORT-LoadTest1. Under Type is Uses Transform.

When I go Field Transformations to look for this it isnt there, not even under the All category.

0 Karma

ewoo
Splunk Employee
Splunk Employee

When I go Field Transformations to look for this it isnt there, not even under the All category.

I see. It looks like the Field Transformations settings page only supports REGEX/FORMAT-based transforms and not DELIMS/FIELDS-based ones.

Do you have REST API access to the search head? If so, you should be able to use the REST API directly to fix up the transform. For example, something like:

curl -sku admin:admin_password https://searchhead-hostport/servicesNS/original_owner/search/configs/conf-transforms/REPORT-LoadTest... -d sharing=app -d perms.read=* -d owner=original_owner
0 Karma

shawnbeard
Explorer

I have granted global read/write permissions to a field extraction, however when a user other than the one who created the extraction runs the search, it does not show up for them. Any ideas?

0 Karma

ewoo
Splunk Employee
Splunk Employee

@shawnbeard: does the user in question have read access to the app containing the field extraction?

shawnbeard
Explorer

@ewoo yes they do, Its the search app. I gave the role they belong to read/write access to that extraction. Still only works for the owner. Also Im ad admin and the extractions dont show up for me either.

0 Karma

ewoo
Splunk Employee
Splunk Employee

Some questions, to help narrow things down:

  • is the user running a search that explicitly requires the field in question, e.g. "* | fields + myfield" ... or is the user running an "exploratory" search?
  • if "exploratory": is it possible that the user in question has other field extractions in effect, causing this specific field extraction to be skipped due to the default system limit on extractions?'
  • is the user in question running an event-based search or a reporting search?
  • if event-based: is the user running the search in smart, verbose, or fast mode?
  • if fast mode: does the extraction work if the user runs in verbose mode instead?
0 Karma

shawnbeard
Explorer

@evoo its a very simple general search:
index="dice_loadtest" source="/usr/local/logs/jmeterLogs/fullTest_07-21+11:51:02.jtl"

The users in question both have the same roles with access to the same search indexes. It defaults to smart mode for both users. Only difference is the one user created the extraction. So for him, the fields show up for anyone else, including me, they dont despite the global read/write permissions to "Everyone"

0 Karma

ewoo
Splunk Employee
Splunk Employee

Does the field extraction work for you (admin) if you modify the search string to require the extracted-field explicitly -- e.g. index=dice_loadtest source=*.jtl myfield=* | fields + myfield ...?

0 Karma

shawnbeard
Explorer

@ewoo no running this shows no extracted fields at all. When I select Extract Fields i get an error: The events associated with this job have no sourcetype information: 1469143490.1775

Also whats odd is as an admin I cant even tell what he is extracting. When i go to Fields-->Field extractions for his user account, I see this:

jmetter_logs: REPORT-LoadTest1 Type: User transform Extraction/Transform: Report-LoadTest1 selecting it I cant see what its doing

0 Karma

shawnbeard
Explorer

Thats Uses Transform

0 Karma

ewoo
Splunk Employee
Splunk Employee

Thats Uses Transform

Oh, this prop references a transform? Does the field extraction work for other users if the associated transform also has its permissions set appropriately (share to app, set read permissions) ...?

My understanding is that, if you create a field extraction via the UI that references a transform, then share the extraction via the UI, the associated transform is left private. I believe this is a known issue (internal bug: SPL-118752).

0 Karma

shawnbeard
Explorer

that I dont know. How would I change the permissions on the associated transform?

0 Karma

shawnbeard
Explorer

@ewoo Im not finding any transaforms for this, or any associated with the search app.

0 Karma

ewoo
Splunk Employee
Splunk Employee

How would I change the permissions on the associated transform?

Settings > Fields > Field transformations > yourtransform > Permissions

0 Karma

shawnbeard
Explorer

Im an admin and it doesnt work for me either.

0 Karma

ewoo
Splunk Employee
Splunk Employee

Im an admin and it doesnt work for me either.

Are you saying the field extraction just doesn't work at all, even for admin? Or it works when it is private, then stops working when it is shared to the app level?

0 Karma

shawnbeard
Explorer

@ewoo It works for the user who created the field extraction, but no one else including the admin(me) I currently tried sharing at app level and global level and it still has made no difference.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...