Alerting

How do I set permissions for 'View Results in Splunk' link in alert emails so users do not get "The view you requested could not be found"??

cduryea
Engager

Splunk version 6.3.1

Scheduled search emails contain a link "View results in Splunk", but when our users (who actively use Splunk) click this link they get a message “The view you requested could not be found”. I can click the link and see the results, but I am a Splunk administrator. So this leads me to believe there is still a permissions issue residing somewhere.

The scheduled search is not privately owned, it is owned by the app and everyone has read permissions. I have tried this with two different scheduled searches and my users get the same message “The view you requested could not be found”. The results are not expired.

There is something simple I am overlooking and have run out of places to think to look.

Thanks

vijaysri
Contributor

Nothing worked. Can someone help me resolve the issue

0 Karma

thambisetty
Super Champion

@vijaysri 

There is a problem with URL generated by sendemail alert action. The URL which is generated by sendemail is not matched with the actual URL of results of your job. 

you might be seeing something like below in your view results link generated by sendemail alert action

(not working)

 

https://localhost/app/SplunkEnterpriseSecuritySuite/@go?sid=scheduler_aGVscGFnX2J0aGFtYmlzZXR0eQ--SplunkEnterpriseSecuritySuite--RMD5d9601e54d98432f3_at_1629087420_8139

 

The actual URL should be like below

(working)

 

https://localhost/app/SplunkEnterpriseSecuritySuite/@go?sid=scheduler_aGVscGFnX2J0aGFtYmlzZXR0eQ__SplunkEnterpriseSecuritySuite__RMD5d9601e54d98432f3_at_1629087420_8139

 

 

if you had closely observed the two URLs, -(hyphens) are replaced with _(underscore). 

As a workaround, try replacing -(hyphens) with _(underscore). It should give you the results if the job is not expired.

————————————
If this helps, give a like below.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

@vijaysri You are responding to a question that is more than 2 years old so it's unlikely you'll get a response. You should post a new question explaining the problem you are having. Include a link to this question if you wish.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

DerekB
Splunk Employee
Splunk Employee

This is a known bug and fixed in 6.3.2. Try the latest release and see if that helps you.

0 Karma

cduryea
Engager

None of these answers worked. All my users still get the error message stated in OP. I as the administrator do not have this issue when I click the link the results come up.

0 Karma

vasanthmss
Motivator

Hi Cduryea,

You can set permissions on a per-object and per-app basis in Splunk Manager. Follow these instructions:

1. Click Settings in the top-level Splunk Enterprise menu.
2. In the Knowledge panel, select a category containing the object you want to edit permissions for. For example, to change permissions on a saved search, click Searches and reports. You can also select All configurations to access all the configurations in a given app.
3. Once you've found the object you want to set permissions for, click the permissions link next to the object.
4. Set permissions to read and/or write for all the roles listed.
5. Click Save.

Ref: http://docs.splunk.com/Documentation/Splunk/6.3.2/AdvancedDev/SetPermissions

Thanks,
V

somesoni2
Revered Legend

Who is the owner (in Setting-> Search and Reports and alert -> owner field)? One option that you can try is to change it to No Owner.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!