Splunk Search

Sharing search with custom field extraction

kaufmanm
Communicator

I have a user that wants to give me a search with references to a number of custom field extractions local to his profile.

e.g. index=cisco SLA="191" | transaction Cisco_Host maxspan=1800s

Well I have access to the same index, I can't see the results of the search since I don't know how the custom field extraction is defining SLA or Cisco_Host for example. Both he and I are minimally privileged users so I can't look at anything about his profile, is there any easy way for him to convert his search into something not reliant on any custom field extractions? i.e. He runs a search expander and then is able to send me this search so I can see his results:

e.g. index=cisco | rex field=_raw "SLA: (?\d\d\d)" | rex field=_raw "Cisco Host: (?.*) " | search SLA="191" | transaction Cisco_Host maxspan=1800s

Or do I need to get him to send me all his custom field extractions and maintain a separate copy on my account? These are probably just quick hack extractions that could change and probably aren't going to be shared globally or on any app.

1 Solution

skoelpin
SplunkTrust
SplunkTrust

I would recommend doing a field extraction at search time using the |rex command and save the search. This would prevent you from needing to maintain a separate version of custom field extractions

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The best method for sharing knowledge objects, which includes fields extraction, is to get their sharing permission changed to "App level" OR "Global/all apps". If you're not privileged users, you can work with your admin/power user in your area to get them published with proper sharing permission. This way field extractions will be easier to manage.

skoelpin
SplunkTrust
SplunkTrust

To add onto this.. If the Splunk admin refuses to escalate your privileges, then you can request them to make a new user role which has your current privileges and add on the field extractions to the role so your still "restricted" from doing higher level tasks but able to do what you need to do

0 Karma

kaufmanm
Communicator

Would there be a way for me to get access to a user's private field extractions without admin_all_objects?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Nopes. (they won't be private if someone else can access it,right?). Just ask your admin to clone the field extractions, share it within app (or global) and provide read access to your current role (which I'm getting is regular user role).

0 Karma

kaufmanm
Communicator

Just frustrating there's a readwrite_all_objects capability but somehow there is no read_all_objects capability.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

I would recommend doing a field extraction at search time using the |rex command and save the search. This would prevent you from needing to maintain a separate version of custom field extractions

kaufmanm
Communicator

This works. Still a bit of work to construct in this case.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...