I recognize this is an old post but I ran into this issue today and this is how I solved it. In my case, there was another data model with the same name shared globally in another app (App B). I had to change the permissions of the global data model to shared in app (App B), then I could delete the other data model in App A. Once deleted, I changed the permissions for data model in App B back to global. Hope this helps! ... View more

did you figure out what the issue was? I am having the same problem running 9.3.  ... View more

How does it mess up the nexpose appliance? ... View more

I am getting ready to attempt the rapid7 Nexpose addon. Did it end up working for you? I am wondering if there is a better approach since the app only has two stars on splunk base and is not a splunk supported app.  ... View more

Did you end up creating the tag to get the endpoint.processes data model to populate? I am seeing the same issue in Splunk_TA_nix 9.7.0  ... View more

Were you able to resolve the issue? I am getting the same error.  ... View more

did you ever resolve this issue?  ... View more

I realize this is a dated post but is closely aligned with the issue I am having with my shell script custom alert action.. Please elaborate on how you read in the stdin arguments to the shell script. I copied the sample script in the docs. The alert triggers the script and will print the $0 but the rest of the variables are null. Do I need to list the SPLUNK_ARG_x variables out in the alert_actions.conf? ... View more

Via the outputlookup command ... View more

Do you know why audittrail shows "N/A" for user when a Splunk user creates a lookup file? For example, I created a lookup file testingLookupCreationAudit.csv using the outputlookup command and the logged event for it showed, Audit:[timestamp=08-17-2020 15:02:32.078, user=n/a, action=add,path="/data/1/splunk/etc/apps/search/lookups/testingLookupCreationAudit.csv", isdir=0, size=117, gid=1001, uid=1001, modtime="Mon Aug 17 14:54:10 2020", mode="rw-------", hash=][n/a] Why didn't Splunk log my user name in this event? ... View more

Thanks @richgalloway for your response. I was wondering if there is a way to modify Splunk's built in commands or at least override them with my own process. I have  a custom command that I have created that does what I want the outputlookup command to do but it would require all users to use the new command. Ideally, I would allow users to continue with the outputlookup command but change how it functions so that new files are stored in the etc/<user>/<app>/lookups directory instead of the etc/<app>/lookups directory.  ... View more

This is pretty close to what I'm trying to do as well. Curious if you got it to work? ... View more

I modified the files how you suggested. Doing so changes the default permissions applied when the user runs the outputlookup command. So now if a user creates a lookup file with the command it creates a lookup owned by nobody and only admins can modify it. I think the lack of ownership is an issue with the command itself rather than the metadata settings because when you go to the lookup files page and select to create a new lookup, that new file is created as a private object under the user's account. I may need to look into limiting who can run the outputlookup command so that we can reduce the number of ad hoc lookups created by nobody. We have a scripted process to reassign these lookups based on the last person who ran an outputlookup to create/updated the file, but I was trying to stop the creation of lookup files without owners at its source.  If anyone knows how the outputlookup command is programmed in Splunk, I'd love to see it. It should function like the lookup-table-files.xml (Create new lookup form) in ...\Splunk\etc\apps\search\default\data\ui\manager\data_lookup_table_files.xml but it clearly doesn't. 😞 ... View more

Thank you for your reply. I changed the app owner and now when a user runs the outputlookup command the lookup is assigned to the owner I specified for the app and not the user. I would like for the lookup ownership to be assigned to the user who created the lookup file via the outputlookup command. For instance, in the search & reporting app, when a user creates a new report, that report is saved by default as private to the user. I would like the same thing to happen in the search & reporting app, when a user creates a lookup file via the outputlookup command. ... View more

Did you get an answer for this? I am also looking to change the default behavior of how lookups are created. A few years back I believe the default behavior was to create the lookup as a private object under the user's app directory... which was way better for object management.  ... View more