Alerting

Setting up permissions for viewing alerts?

szabados
Communicator

Users within my environment, who have the Power user role in Splunk, can't access the results of the alert, they are getting "The view you requested could not be found." error message all the time. They have the "schedule_search" capability which I believe is the needed on for this. No matter, they try to open the link from the alert email, or from the web gui from the triggered alerts list.
Edit:
I checked in the audit.log, the only capability the user was denied is the "edit_user".
I granted this capability to the user's role, but still can't see the alert, however, the denied-lines disappeared from the log.

mgranger1
Path Finder

I'm having the exact same issue. The user is able to execute the alert search directly from the search bar, however when they attempt to open the "View Results" link in the alert email, it tells them, "The view you requested could not be found." As an administrative user, I am able to open the email link without issue, but a user or power user is unable to open the link.

0 Karma

frobinson_splun
Splunk Employee
Splunk Employee

Hi @szabados,
As a start, you could review the alert and alert action permissions that are set currently for this alert. Alerts and alert actions are knowledge objects with their own permissions. Here is some documentation:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Alert/AlertPermissions

Hope this helps!

0 Karma

szabados
Communicator

Thanks, but the concerned user's role has even write permissions (I've found this is a possible solution at a different question) for those objects.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

If you see the URL which is will launched on the click of "View results in Splunk", it points to a search result in the dispatch directory. Which may have expired/removed from dispatch directory, depending upon the search job expiration. If the job is expired, you'll get that error, even as admin.

0 Karma

szabados
Communicator

Hi,

I'm afraid this is not the case. If there is a triggered alert, I can access it as an administrator, but not with a power user. The job can't be expired, because it was run like 1 minute ago, and also visible as admin.
Edit:
If I create an alert with a power user, that user can see it's own alert.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...