Archive

What does this bug mean?

Champion

Hi,

Reading the known issues for upgrading to 6.5.3... and saw this:

2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.
2. Assign this user ownership of the scheduled searches.
3. Share the searches at the app level and grant read/write permission to the correct set of users.

What does this mean exactly? ALL users can't run historical searches? Kind of a big bug, if that's the case... Is the solution saying that we need to create an additional admin/power user and then modify all searches?

Tags (2)
0 Karma
1 Solution

Contributor

The bug is poorly worded.

Basically, Splunk capabilities work exactly as intended. If a user does not have the capability to run schedule searches, even if an admin goes in and sets the restricted user's saved search to a scheduled search, the search won't run.

A bug that allowed admin to successfully set a search as scheduled for a user without that capability was fixed. Another customer that was using that "loophole" filed this bug when the loophole stopped working.

The work around to get the "loophole" back is by creating a the special "service account", giving ownership of the searches to that "service account", then giving each user that needs to modify those searches read/write permission.

View solution in original post

Contributor

The bug is poorly worded.

Basically, Splunk capabilities work exactly as intended. If a user does not have the capability to run schedule searches, even if an admin goes in and sets the restricted user's saved search to a scheduled search, the search won't run.

A bug that allowed admin to successfully set a search as scheduled for a user without that capability was fixed. Another customer that was using that "loophole" filed this bug when the loophole stopped working.

The work around to get the "loophole" back is by creating a the special "service account", giving ownership of the searches to that "service account", then giving each user that needs to modify those searches read/write permission.

View solution in original post

Champion

Thanks.

0 Karma

Contributor

You're welcome. Hat tip goes to jkat54 for pinging me about this question.

0 Karma

SplunkTrust
SplunkTrust

I asked someone with access to Jira if they can elaborate on it for you.

I've noticed you rarely accept answers though. Can you please revisit some of your old posts such as this one?

https://answers.splunk.com/answers/405080/why-is-my-splunk-rest-api-search-not-working-and-g.html

And let some folks know if they've answered your questions by clicking on "accept answer" or responding to their answer.

0 Karma

Champion

I wouldn't say rarely... as frequently as I should... probably not. Some of that is because the answers don't work, or priorities change... nature of the job, I'm afraid. I'll try to do better.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!