Solved: Can we check App permission via Splunk logs

Naga · ‎02-24-2021

Here is the requirement:

I wanted to create a form with list of Apps in my Search head Dropdown. If the Developer choose any App from the list then it should show what level of permission (Read / Write) to whom in the dashboard. Is the App metadata writing this information anywhere in the logs. Or can we get this via REST API Search?

Sample Output

App	Permission
Dashboard Examples	READ - * ; WRITE - POWER

manjunathmeti · ‎02-24-2021

hi @Naga ,

Check this:

| rest /services/apps/local 
| rename "eai:acl.perms.read" AS read, "eai:acl.perms.write" AS write 
| fields title label version read write
| strcat "READ - " read "; WRITE - " write permissions

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

manjunathmeti · ‎02-24-2021

hi @Naga ,

Check this:

| rest /services/apps/local 
| rename "eai:acl.perms.read" AS read, "eai:acl.perms.write" AS write 
| fields title label version read write
| strcat "READ - " read "; WRITE - " write permissions

If this reply helps you, an upvote/like would be appreciated.

Naga · ‎03-02-2021

Thank you manjunath. It helped a lot. Can we get the same in internal logs? We have different search head and each set is owned by different teams like Team 1 Splunk Infra / Team 2 / Team 3.

Can we check App permission via Splunk logs

table

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector