Splunk Search

Why do we have the --not exporting configurations globally to system-- message?

danielbb
Motivator

We have this message popping out -

-- Search peer SH name has the following message: Health Check: One or more apps ("SA-cim_vladiator-master") that had previously been imported are not exporting configurations globally to system. Configuration objects not exported to system will be unavailable in Enterprise Security.

Why is it?

Tags (3)
0 Karma

ololdach
Builder

Hi Daniel,

what the message says is that the knowledge objects defined inside the SA-cim_validator-master app cannot be seen from inside the Splunk Enterprise Security App, unless they are declared as "system". I assume that you have installed ES recently, which in turn activates the check for non-global objects in the health check. To resolve the "error" either remove the SA-cim_validator-master app or change the permissions of the app's knowledge objects to system. The error could also come from recent changes to the SA.../metadata/*.meta files that have in effect changed the permissions.

Best regards
Oliver

pkellyz
Explorer

Oliver,

Do you know if there are any other common causes for this?

I am getting the same error described above except I have three separate apps listed, none of which are SA-CIM...

I checked the first one in the GUI by going to Settings > Knowledge > All Configurations and under Permissions for all of the affected apps it's set to Global. When I open the permissions it's set so that Everyone can Read. I assume this should be sufficient.

I also checked the metadata file in local and for each type (tags, event types, transforms, props, lookups, virestates) they all have export = system.

Any ideas?

0 Karma

PranaySompalli
Explorer

you will need to put this setting in the add-on's metadata/local.meta file to allow everyone read access to all the objects defined in the add-on or app by default. That would stop the messages from showing up

[]
access = read : [ * ], write : [ admin ]
export = system

martaBenedetti
Path Finder

Thank you! Worked for me!

0 Karma

pkellyz
Explorer

Thank you! I updated the file on the deployment server and redeployed the apps. Now the error is gone!

0 Karma

wstarowicz
Path Finder

Is it safe to change ths setting?

0 Karma

warwicks
Explorer

Not always safe no.

You should be sure you want the KOs within an app to be exported system wide before you change this setting.

The doco for default.meta isn't particularly useful on this 

* By default, objects are only visible within the app in which they were created.
  To make an object available to all apps, set the object's 'export' setting to
  "system".
  * export = system

Essentially if you set the default to an app to system then the when you are in another app you will still see content from this app. That can be good but it can also be bad, if the app you set to export = system has overly complex props for field extraction etc they may start to make info harder to read in another app. When you search in Splunk you are doing so through several lenses or overlays, Your user, the seacrh head itself and then the app you are in and other apps that export to system. ES is a little different on that final bit in that it only "imports" other apps if they match a whitelist/pattern.

In the case of Cim validator there isn't much to worry about but it is always worth being sure you want to actually export to system before doing so.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...