Solved: search result issue by users - Splunk Community

Splunk Search

Same SPL result is different by user A and admin

SPL-> index=xxx

when I do search with userA's userid

"interesting fields" when searching with userA's ID and the results when searching with admin are different

so I was create new userID -> userB and assigned same role as userA
userB's search result is exactly the same result as admin

how to fix userA's search result problem?

admin result

UserA result

I was look up field1 value.
field1 is dst_ip

1 KB

1 KB

1 Solution

Solution

Users can create private knowledge objects for parsing events. If so, it would only impact that user.

Via the UI, you can look for private objects (field extrations, sourcetype renames, etc..) owned by userA:
Settings -> All Configuraitons

Or check the config files in their user directory $SPLUNK_HOME/etc/users/userA

View solution in original post

Solution

Users can create private knowledge objects for parsing events. If so, it would only impact that user.

Via the UI, you can look for private objects (field extrations, sourcetype renames, etc..) owned by userA:
Settings -> All Configuraitons

Or check the config files in their user directory $SPLUNK_HOME/etc/users/userA

I appreciate your help.

I appreciate your help !!

Glad it it worked for you!

Did it work?

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

Unleash the power of Splunk Observability Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...