Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Difficulty Locating Newly Added Calculated Field (Eval)

Ismail_BSA
Path Finder
2 weeks ago

Hello,

I recently encountered an issue with Splunk Cloud. After creating a new eval in the "Fields" menu under "calculated fields," named 'src' for the source type "my_source_type," I adjusted the permissions to make it readable and writable for my role, with app permissions set to all apps. However, upon saving these permissions, the eval disappeared, and I couldn't locate it anywhere.

Thinking it might not have saved properly, I attempted to recreate it with the same name and source type. However, when I tried to adjust the permissions, I received a red error banner stating: "Splunk could not update permissions for resource data/props/calcfields [HTTP 409] [{'type': 'ERROR', 'code': None, 'text': 'Cannot overwrite existing app object'}]"

Any recommendations on where I should search to locate the initially created eval that seems to have gone missing?

Thank you.

Labels (2)
Labels
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
2 weeks ago

Hi @Ismail_BSA 

you can use following restcall to find caluclated fields created by you 


| rest splunk_server=local services/data/props/calcfields/  | search author = <yourid> | table attribute field.name eai:acl.app author eai:acl.sharing

 

----
Regards,
Sanjay Reddy

----
If this reply helps you, Karma would be appreciated

Reply

Ismail_BSA
Path Finder
a week ago

Hi @SanjayReddy 

 

Thank you for your reply.

 

Unfortunatelly, this is not working since your proposed commend will display the same fields as in the menu Fields>calculated fields. I think the issue is more related to the authorisations.  I am 100% sure that I allowed my role to read/write the newly created varaible. But I can't find it.

 

Regards.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...