How to make an App, its Commands, and Lookup permi...

panovattack · ‎07-11-2017

We've installed an app that initially does not install as a "global" permission. We'd like to make its resources (e.g. custom commands, lookup tables) available to other apps, especially in the context of Splunk Enterprise Security correlation searches. We've set the app to global with global read permissions as well as all its objects. The commands and lookups are still not available in other apps. We've attempted to restart the relevant search head. Any ideas on where to look for troubleshooting?

Grumpalot · ‎07-11-2017

Hello there,
can you verify via the search below in search you can pull data from the file

| inputlookup yourfilename.csv

If you can run the above search and return results then view permissions are good. If not check Settings > Lookups > Lookup Tables Files > App Name - File Permissions

If you can search the above then verify your definitions are setup for your lookups Settings > Lookups > Lookup Definitions > App Name - Definitions / Sharing Permissions

If those are fine check your Automatic lookups Settings > Lookups > Automatic Lookups > App Name - Name / Sharing Permissions.

To verify your custom commands are working and are Global run the below search in search

| commandname

If your command does not work go to Settings > Advanced Search > Search Commands > Command Name / Sharing Permissions

panovattack · ‎07-12-2017

The lookup definition is set to global. The def points to a KVSTORE.

I checked the permissions of the command and they are set to Global, everyone can read.

I would also note that when I try to add this app as the custom context for a correlation search, it does appear in the list of apps. It is as if the whole app is not set to Global, even though the permissions have been set that way...

How to make an App, its Commands, and Lookup permissions "global"?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!