Security

Err: "Search operation 'rangemap' is unknown. You might not have permission to run this operation" And "Search operation 'gauge' is unknown. You might not have permission to run this operation."

zliu
Splunk Employee
Splunk Employee

Got these error messages with all users under one particular role "Search operation 'rangemap' is unknown. You might not have permission to run this operation" or "Search operation 'gauge' is unknown. You might not have permission to run this operation."

[role_production_support]

change_own_password = enabled

get_metadata = enabled

get_typeahead = enabled

list_inputs = enabled

request_remote_tok = enabled

rest_apps_view = enabled

rest_properties_get = enabled

rest_properties_set = enabled

search = enabled

schedule_search = enabled

srchIndexesAllowed = *

srchDiskQuota = 500

srchJobsQuota = 50

Tags (1)

xtrjx
Explorer

It appears this is not limited to just rangemap and gauge. It seems to be a problem with all *.py scripts on my system. My symptom was that "admin" could run all the *.py scripts located in $SPLUNK_HOME/etc/apps/search/bin, including rangemap and gauge. But regular users in any role I created could not run the scripts, even though they were set up with "read" permission and the scripts were "global".

A work-around that I used was:

Step 1. Copy rangemap.py ( likewise with gauge.py and any other *.py script you need ) from the $SPLUNK_HOME/etc/apps/search/bin directory to the $SPLUNK_HOME/etc/system/bin directory.

Step 2. Add the following stanza to $SPLUNK_HOME/etc/system/local/commands.conf:

[rangemap]

filename = rangemap.py

supports_getinfo = true

supports_rawargs = true

Step 3. Add the following stanza to $SPLUNK_HOME/etc/system/local/authorize.conf:

[capability::run_script_rangemap]

Step 4. Add the following to your custom role stanza. This is the stanza you created when you setup a new role in Splink Manager > Access Controls > Roles :

[your_role]

run_script_rangemap = enabled

Step 5. restart splunk.

This worked for me although I would not consider it a permanent fix because I would have to copy the *.py scripts again if Splunk updates them.

rroberts
Splunk Employee
Splunk Employee

could you post the search?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...