Alerting

Setting up permissions for viewing alerts?

Communicator

Users within my environment, who have the Power user role in Splunk, can't access the results of the alert, they are getting "The view you requested could not be found." error message all the time. They have the "schedulesearch" capability which I believe is the needed on for this. No matter, they try to open the link from the alert email, or from the web gui from the triggered alerts list.
Edit:
I checked in the audit.log, the only capability the user was denied is the "edit
user".
I granted this capability to the user's role, but still can't see the alert, however, the denied-lines disappeared from the log.

Path Finder

I'm having the exact same issue. The user is able to execute the alert search directly from the search bar, however when they attempt to open the "View Results" link in the alert email, it tells them, "The view you requested could not be found." As an administrative user, I am able to open the email link without issue, but a user or power user is unable to open the link.

0 Karma

Splunk Employee
Splunk Employee

Hi @szabados,
As a start, you could review the alert and alert action permissions that are set currently for this alert. Alerts and alert actions are knowledge objects with their own permissions. Here is some documentation:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Alert/AlertPermissions

Hope this helps!

0 Karma

Communicator

Thanks, but the concerned user's role has even write permissions (I've found this is a possible solution at a different question) for those objects.

0 Karma

SplunkTrust
SplunkTrust

If you see the URL which is will launched on the click of "View results in Splunk", it points to a search result in the dispatch directory. Which may have expired/removed from dispatch directory, depending upon the search job expiration. If the job is expired, you'll get that error, even as admin.

0 Karma

Communicator

Hi,

I'm afraid this is not the case. If there is a triggered alert, I can access it as an administrator, but not with a power user. The job can't be expired, because it was run like 1 minute ago, and also visible as admin.
Edit:
If I create an alert with a power user, that user can see it's own alert.

0 Karma