Hi,

Thanks for your answer. but not working this.

Alright! So lets try to make it work.

So far,you have an app to segregate user permissions and a new role is created and assigned to this app. All the dashboards are moved to this app and users are able to access the dashboards.
If you want your users to use your lookups which is created in kvstore, you need to have this definition in transforms.conf and collections.conf under this app. In addition to this , we need to give them permissions to use this collections which is either given by using splunk web and look for this collections and set the permissions or use the metadata file. Easiest way to troubleshoot is to simulate this by creating a new user and add the new role. Lets know the error you are getting while accessing the dashboard/lookup

Yes, Created a role and assigned few users an created a test user and added test user to this role to test access.

after that created an app and given access to newly created role to access app. I am able to see app and dashboards but the only problem is with lookups.

I have shared collections and transforms lookup which are in search app context in all configurations to newly created role and set "object should appear in" to all apps(global).

as you suggested, I have copied metadata of collections and transforms lookup to newly created app which is shared to newly created role. still no luck.

I have tested this with test user.

Hi @thambisetty,

I found a strange issue with kvstore lookup while testing your issue. Just to confirm, can you check if the default folder of search app, i.e. etc/apps/search/default has your collections.conf file? If its ot present, can you copy your collections.conf to that as well and try.

Its in local folder of search application.

I don't think, we can create duplicate object in Splunk, though there is an option to create using file system, there could be some issues. Transform defintion doesn't know where to read and write from/to wrt.

As mentioned earlier, try copying/moving it to the default folder and try. You are not creating any duplicate objects but just the configuration. Splunk has an internal mechanism for file precedence. So even though you have duplicate configuration files splunk know how to handle it. Reference : http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Wheretofindtheconfigurationfiles

Lets know if it works.

Moved it to

search/default/collections.conf:1:[collection].

tried accessing by user "test" part of newly created role, still not working.

whats the exact error you are getting now? Hope the role you created has search capability assigned

Yes,

1. change_own_password dispatch_rest_to_indexers export_results_is_visible get_typeahead patter_detect search

Whats the exact error? Is is something similar to

Error in 'inputlookup' command: Lookup failed because collection 'my_collection_search' in app 'search' does not exist, or user 'admin' does not have read access

No results found, try expanding the time range. in the job settings got an error like below

The lookup table 'sample_lookup' is invalid.

Do you have this entry in your collections.conf?

[sample_lookup]

Make sure that this entry is in collections.conf and collections.conf is present in default

No, thats the definition of lookup defined in transforms.conf of search local directory.

whatever the collection name you have provided in transforms.conf incollection =, should be present in collections.conf in the format [collection_name] which is in default dir

Yes, its there.

First defined in collections.conf and used collection name in transforms.conf

Ok. Just to double check, are you able to access this lookup with admin user/power user? Then we could isolate this to a user permission issue

Yes, i can access this with admin/power/user role in the same application where new role doesn't have access.