Splunk, Where's my Props?!
Here’s the scenario. You find the perfect app for your data. You onboard the data, configure all your files, look through all your dashboards to finally see the views you have been waiting for. Then your greatest fear is realized, your dashboards are not working! You trouble shoot the searches in your dashboards and the fields that are needed for this search do not exist. Where are your field extractions?
Once you see that everything seems to be configured right on your app, you go through the TA apps you installed to make sure everything is working together. Everything seems to be right! Why can’t you get your dashboards to work?
If at first you don’t succeed—check, check your permissions. When you look under Manager>>Apps there is a “Sharing” column that is defaulted to Apps when you create or download an app. In order to make sure that you can see field extractions from one app to another, you need to be sure that your app is set to Global.
Under “Sharing”, click on Permissions. Once opened, at the bottom of the screen you will see where to change Sharing for config file-only objects:
This is exactly what we want to make global! To make this global set the permissions to All apps as shown above.
Once you save, you will go back to the Manager>>Apps and see that the permission for the TestApp has been changed from App to Global!
So let’s recap. For this example, we needed field extraction from one app to be used while in the context of another app. We changed our permissions to global, and now when we search in our main app we see our field extractions from our TA app! Success!
Before we think everything is done, there are some helpful hints to remember about permissions. Let’s say for example you had a props.conf set at all three levels: the user, the app, and the system. Splunk will always use the value of the user as preference over the app of system level. The priority descends:
- User directories for current user -- highest priority
- App directories for currently running app (local, followed by default)
- App directories for all other apps (local, followed by default) -- for exported settings only
- System directories (local, followed by default) -- lowest priority
Follow these helpful tips and you will never be asking, “Splunk, where’s my props?” ever again!
- Log in to post comments
Function1, Inc. Copyright 2024. All Rights Reserved