As the question states. We have the Splunk Add-on for Cisco ASA and just noticed that a non-admin user is not getting parsed fields for this sourcetype. I'm betting it's a permission issue, but can't pinpoint the exact cause.
So it looks like that role had access to the index, but not to the actual app itself.
So it looks like that role had access to the index, but not to the actual app itself.
Is the user searching using verbose or smart mode? or are they using fast mode which does not do search time extractions.
http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Changethesearchmode
I had them try verbose and smart mode. I found a similar thread but I don't follow: https://answers.splunk.com/answers/149742/field-parsing-works-for-admin-not-for-general-user.html