As the question states. We have the Splunk Add-on for Cisco ASA and just noticed that a non-admin user is not getting parsed fields for this sourcetype. I'm betting it's a permission issue, but can't pinpoint the exact cause.
So it looks like that role had access to the index, but not to the actual app itself.
View solution in original post
Is the user searching using verbose or smart mode? or are they using fast mode which does not do search time extractions.
http://docs.splunk.com/Documentation/Splunk/6.4.1/Search/Changethesearchmode
I had them try verbose and smart mode. I found a similar thread but I don't follow: https://answers.splunk.com/answers/149742/field-parsing-works-for-admin-not-for-general-user.html
