Sometimes users who get access via general role do not have access to indexes for all applications in our deployment. When such a user tries to search on an index he/she does not have access to, they get "No Results Found" which is mis-leading as the real reason is that they are not entitled to any of the search results. This is more of a problem for senior managers who start to think we do not have the data indexed.
Is it possible to change the message thats returned in such a scenario instead of default "No results found"?
I don't think so its possible. When you're writing a search, you just write filter clause, which will be searched upon the indexed data to which you have access to. So like if you don't have access to indexA and execute search "index=indexA", then Splunk searches from all the indexes your have access to for filter term "index=indexA" which obviously matches nothing and "No Results Found" is shown.
The function you need to use for this is | appendpipe
This allows you to
| eval columnname = "You're not allowed" | eval somecolumn = 0 | where count==0
Anandhim, does this solve your problem?