We've installed an app that initially does not install as a "global" permission. We'd like to make its resources (e.g. custom commands, lookup tables) available to other apps, especially in the context of Splunk Enterprise Security correlation searches. We've set the app to global with global read permissions as well as all its objects. The commands and lookups are still not available in other apps. We've attempted to restart the relevant search head. Any ideas on where to look for troubleshooting?
Hello there,
can you verify via the search below in search you can pull data from the file
| inputlookup yourfilename.csv
If you can run the above search and return results then view permissions are good. If not check Settings > Lookups > Lookup Tables Files > App Name - File Permissions
If you can search the above then verify your definitions are setup for your lookups Settings > Lookups > Lookup Definitions > App Name - Definitions / Sharing Permissions
If those are fine check your Automatic lookups Settings > Lookups > Automatic Lookups > App Name - Name / Sharing Permissions.
To verify your custom commands are working and are Global run the below search in search
| commandname
If your command does not work go to Settings > Advanced Search > Search Commands > Command Name / Sharing Permissions
The lookup definition is set to global. The def points to a KVSTORE.
I checked the permissions of the command and they are set to Global, everyone can read.
I would also note that when I try to add this app as the custom context for a correlation search, it does appear in the list of apps. It is as if the whole app is not set to Global, even though the permissions have been set that way...