Splunk version 6.3.1
Scheduled search emails contain a link "View results in Splunk", but when our users (who actively use Splunk) click this link they get a message “The view you requested could not be found”. I can click the link and see the results, but I am a Splunk administrator. So this leads me to believe there is still a permissions issue residing somewhere.
The scheduled search is not privately owned, it is owned by the app and everyone has read permissions. I have tried this with two different scheduled searches and my users get the same message “The view you requested could not be found”. The results are not expired.
There is something simple I am overlooking and have run out of places to think to look.
Thanks
Nothing worked. Can someone help me resolve the issue
There is a problem with URL generated by sendemail alert action. The URL which is generated by sendemail is not matched with the actual URL of results of your job.
you might be seeing something like below in your view results link generated by sendemail alert action
(not working)
https://localhost/app/SplunkEnterpriseSecuritySuite/@go?sid=scheduler_aGVscGFnX2J0aGFtYmlzZXR0eQ--SplunkEnterpriseSecuritySuite--RMD5d9601e54d98432f3_at_1629087420_8139
The actual URL should be like below
(working)
https://localhost/app/SplunkEnterpriseSecuritySuite/@go?sid=scheduler_aGVscGFnX2J0aGFtYmlzZXR0eQ__SplunkEnterpriseSecuritySuite__RMD5d9601e54d98432f3_at_1629087420_8139
if you had closely observed the two URLs, -(hyphens) are replaced with _(underscore).
As a workaround, try replacing -(hyphens) with _(underscore). It should give you the results if the job is not expired.
@vijaysri You are responding to a question that is more than 2 years old so it's unlikely you'll get a response. You should post a new question explaining the problem you are having. Include a link to this question if you wish.
This is a known bug and fixed in 6.3.2. Try the latest release and see if that helps you.
None of these answers worked. All my users still get the error message stated in OP. I as the administrator do not have this issue when I click the link the results come up.
Hi Cduryea,
You can set permissions on a per-object and per-app basis in Splunk Manager. Follow these instructions:
1. Click Settings in the top-level Splunk Enterprise menu.
2. In the Knowledge panel, select a category containing the object you want to edit permissions for. For example, to change permissions on a saved search, click Searches and reports. You can also select All configurations to access all the configurations in a given app.
3. Once you've found the object you want to set permissions for, click the permissions link next to the object.
4. Set permissions to read and/or write for all the roles listed.
5. Click Save.
Ref: http://docs.splunk.com/Documentation/Splunk/6.3.2/AdvancedDev/SetPermissions
Thanks,
V
Who is the owner (in Setting-> Search and Reports and alert -> owner field)? One option that you can try is to change it to No Owner.