Share and promote Splunk knowledge objects
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
In Splunk, saved searches, saved reports, and event types are all Splunk knowledge objects. Knowledge objects are items that enrich your Splunk data and help you to efficiently find what you need.
In this topic we'll discuss how you can use Splunk Manager to share and promote saved searches, saved reports, and event types. This information also applies to knowledge objects such as navs, views, and python-based search commands. For more information about those types of knowledge objects, see the Knowledge Manager manual.
Note: Splunk knowledge objects also include fields, source types, event types, tags, and other items you currently cannot control the sharing of.
When you first save an object such as a search, report, or event type, it is only available to you in the app that you're in when you create it. To make these particular kinds of knowledge objects available to more users among multiple apps, you can take the following steps if you have the permissions to do so:
- Make objects available globally to all apps
- Set object permissions for other roles or users
- Make objects available to all users within an app or the global set of apps.
To share a Splunk knowledge object such as a saved search with other roles or users, you have to edit the permissions for the object. When you first create the object, its permissions are limited to you alone. Other users cannot access it, even if they are in the same app as you.
Note: When you grant a role the permission to work with an object, you are effectively transferring that permission to all users who have been assigned to that role.
To change the permissions for an object, follow these steps:
1. Select the Manager link to go to Splunk Manager. Navigate to the page for the type of object whose permissions you intend to update (such as Saved Searches or Event Types).
2. Find the object that you created (use the filtering fields at the top of the page if necessary) and click its Permissions link.
3. If you are editing permissions for a new saved search, saved report, or event type, select the checkbox at the top left-hand corner of the page to enable sharing for the object. You cannot update permissions if sharing is disabled for the object.
4. Under Access Control List, set the permissions for the object. In the list, locate the users and roles that should have access to the object. For each one, select a permission of either Read or Write.
- Read means that the user or role can see the object and use it, but they can't edit it. For example, in the case of saved searches, they'll be able to see it in the Searches dropdown (if they're in an app that the search was created in or promoted to), and they can run the search if they wish. But they won't be able to go to the details page for that saved search, edit it, and save it under the same name.
- Write means that the user or role can both use the object and update its defining details as necessary.
- If neither Read or Write are selected the user or role is unable to see or access the object from any app.
Make objects available to all users of an app
If you want to set permissions that make the object available to all users and roles, give them to the World role. For example, you can set World up with Read permissions, meaning that everyone can view and use the object, and then give a select few administrators Write (edit) permissions for the object.
Make objects available globally to all apps
When you first create an object it is initially available only to users of the app that you are in at the time.
If you want to make the object available to users in all apps, go to the Permissions page for that object (see the procedure above) and change Search should apear in from This app only to All apps.
Note: After you make an object available globally to all apps, you may want to review its user and role-level permissions, because its potential audience may have changed.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.