Hello,
I recently encountered an issue with Splunk Cloud. After creating a new eval in the "Fields" menu under "calculated fields," named 'src' for the source type "my_source_type," I adjusted the permissions to make it readable and writable for my role, with app permissions set to all apps. However, upon saving these permissions, the eval disappeared, and I couldn't locate it anywhere.
Thinking it might not have saved properly, I attempted to recreate it with the same name and source type. However, when I tried to adjust the permissions, I received a red error banner stating: "Splunk could not update permissions for resource data/props/calcfields [HTTP 409] [{'type': 'ERROR', 'code': None, 'text': 'Cannot overwrite existing app object'}]"
Any recommendations on where I should search to locate the initially created eval that seems to have gone missing?
Thank you.
Hi @Ismail_BSA
you can use following restcall to find caluclated fields created by you
| rest splunk_server=local services/data/props/calcfields/ | search author = <yourid> | table attribute field.name eai:acl.app author eai:acl.sharing
----
Regards,
Sanjay Reddy
----
If this reply helps you, Karma would be appreciated
Hi @SanjayReddy
Thank you for your reply.
Unfortunatelly, this is not working since your proposed commend will display the same fields as in the menu Fields>calculated fields. I think the issue is more related to the authorisations. I am 100% sure that I allowed my role to read/write the newly created varaible. But I can't find it.
Regards.