searches with eventtype not working for admin in ...

kranthimutyala · ‎07-15-2020

Hi All,

I have recently deployed Splunk Cisco ISE app into production and its working well for normal users.But as an admin i'm unable to see the dashboard panels populating.

All the panel searches are based on the eventtype and when I run those searches as an admin Im not getting the results but when I login as a normal test user and run those searches its working fine.

Eg : eventtype=cisco-ise | timechart usenull=f count by MESSAGE_CLASS

This search works for normal user but not with admin login.Im really surprised about this issue.Please let me know where I need to troubleshoot to resolve this issue.

Thanks.

gcusello · ‎07-16-2020

Hi @kranthimutyala,

it's a very strange thing!

see in eventtypes Permissions if admin role is explicity excluded from this role, but it's strange!

Ciao.

Giuseppe

kranthimutyala · ‎07-16-2020

Hi @gcusello

I have checked them and they are global with read/write access to admin

gcusello · ‎07-16-2020

Hi @kranthimutyala,

are there fields in the eventtypes?

if you run the search contained in eventtypes forcing the Verbose Mode, do you have results?

maybe it's a Mode problem.

if in Verbose Mode the search has results, move the fields contained in the eventtypes and the field MESSAGE_CLASS from Interesting Fileds in selected Fields and then run the same search in Smart Mode.

If you have results, your dashboard should run.

Ciao.

Giuseppe

searches with eventtype not working for admin in Cisco ISE app

administration

configuration

dashboard

search

troubleshooting

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

What’s New in Splunk Cloud Platform 9.1.2308?