Hi Friends,
while I'm using |addinfo in my search and I can retrieve data successfully but our client can't view the data in this query. But they can access that index successfully. Only |addinfo is unable to search them.
Could you please guide me which capability related with this command ?
Which capability I need to provide permission to them to access |addinfo command ?
My query:
index=pg_idx_whse_snow_prod sourcetype="snow:incident" source="https://pgglobalenterprise.service-now.com/"
| addinfo
| eval earliest=strftime(info_min_time,"%Y-%m-%d %H:%M:%S"), latest=strftime(info_max_time,"%Y-%m-%d %H:%M:%S")
| where (sys_created_on>=earliest)
| dedup ticket_id
| stats count
Hi @isoutamo ,
Thank you so much for your reply. We just identified the issues. Its not relate with addinfo command.
| dedup ticket_id
This line has issue. Some of users don't have visibility to ticket_id field that's why they can't see the result.
Thanks once again.
Hi
are you sure that other team members have any results when they running 1st line separately?
I cannot recall that addinfo needs any special capability?
They could test if they can run it by
|makeresults
|addinfo
If this shows those fields then it's working for them.
r. Ismo
Hi @isoutamo ,
Thank you so much for your reply. We just identified the issues. Its not relate with addinfo command.
| dedup ticket_id
This line has issue. Some of users don't have visibility to ticket_id field that's why they can't see the result.
Thanks once again.