Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

User cannot display my dashboard. Is it a permission problem?

damonmanni
Path Finder
‎06-15-2017 11:10 AM

I have created a dashboard that displays:

panel-1: the disk usage of several mount points of two Linux servers in a simple line chart
panel-2: The prediction date of when disk space may run out if current trending continues as in panel-1.

This works fine when I run it as admin, but when a basic user runs the dashboard, they only see:
- Part of the top of the dashboard page (the Title, the radio buttons, and a caption)
- then "no results found"

Background:
- splunk v6.4.1
- I check a ton of docs, cannot zero in on issue.
- I tried various perm settings nothing works
- I don't know how to include an screenshot image of users results. I tried image?!...path... but no luck
- Could this be b/c I selected "inline search" instead of convert to report?

Perms settings for dashboard are set as:
- Owner= admin
- App = search
- Display for = all apps
- I selected clone to inline search
- I setup perms to be:
Everyone=Read
admin= write

Xml used:

      Ray NFS Server Dashboard
      
      
        
          Disk Usage
          
            
            Last 30 Days
            Last 60 Days
            Last 90 Days
            Last 180 Days
            30
            30
          
          
            Over last $days$ days
            
              host=mdc4vr1110 OR host=mdc4vr1111 source=df sourcetype=df mount="/*com*" | timechart eval(round((avg(storage_used)/1024/1024/1024/1024),2)) by mount
              -$days$d@d
              now
            
            ellipsisNone
            45
            visible
            visible
            visible
            linear
            linear
            0
            inherit
            line
            50
            10
            area
            gaps
            minmax
            0.01
            default
            shiny
            all
            0
            0
            ellipsisEnd
            left
            Time
            Terabytes
            value
            none
            0
            1
            1
            standard
            absolute
            after
            0
            1
            true
            false
            none
            1
            0
            20
          
        
      
      
        
          Disk Capacity Forecast
          
            
              host=mdc4vr1110 OR host=mdc4vr1111 source=df sourcetype=df mount="/*com*" | eval sutbs=(storage_used/1024/1024/1024/1024) | eval sutbsrnd=round(sutbs,2) | eventstats avg(sutbsrnd) AS sutbsavg by mount |fields _time storage_used sutbs sutbsrnd sutbsavg mount | timechart avg(sutbsrnd)| predict avg(sutbsrnd) future_timespan=$days$  algorithm=LLP5 | sort-_time |head 1 | eval predicted_date_epoch=_time | eval timenow_epoch=now() | eval days_remaining_epoch=predicted_date_epoch-timenow_epoch | eval days_remaining=strftime(days_remaining_epoch,"%d") |timechart sum(days_remaining)
              -$days$d@d
              now
            
            0
            1
            after
            -1y
            absolute
            standard
            0
            0
            [7,14,21,30]
            ["0xd93f3c","0xf7bc38","0x6db7c6","0x65a637","0x65a637"]
            0
            none
            block
            value
            search
            DAYS OF DISK SPACE REMAINING
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-15-2017 02:42 PM

You are following very bad practices in your search. You should ALWAYS specify index and sourcetype. If you fix this, probably it will just work. Your admin user probably has all indexes set for indexes searched by default and your other users have nothing for that value. If this is not it, then you need to give the other users permissions to search against the target index values.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-15-2017 02:42 PM

You are following very bad practices in your search. You should ALWAYS specify index and sourcetype. If you fix this, probably it will just work. Your admin user probably has all indexes set for indexes searched by default and your other users have nothing for that value. If this is not it, then you need to give the other users permissions to search against the target index values.

Reply
Solved! Jump to solution

damonmanni
Path Finder
‎06-15-2017 03:54 PM

Thank you also sir! Yep got that same advice from niketnilay earlier. It did solve my problem.

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-15-2017 02:20 PM

What are the permissions on the dashboard? Owner, App, or All Apps?

0 Karma
Reply
Solved! Jump to solution

newbie2tech
Communicator
‎06-15-2017 02:32 PM

check if the user has access to the indexes involved in the searches

0 Karma
Reply
Solved! Jump to solution

gmchenry
Explorer
‎06-15-2017 11:14 AM

Are you both using the same make/model/version web browser?

0 Karma
Reply
Solved! Jump to solution

damonmanni
Path Finder
‎06-15-2017 11:39 AM

Myself and all users use: IE v11.9

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-15-2017 12:22 PM

@damonmanni add index to your base search query ( like index=abc etc) . Users might not have access to search the required index by default but admin may have that access.

In order to confirm you can ask users to run the following query with days hard coded in the base search ( I have used 30 days):

host=mdc4vr1110 OR host=mdc4vr1111 source=df sourcetype=df mount="/*com*" earliest=-30d@d latest=now
| timechart eval(round((avg(storage_used)/1024/1024/1024/1024),2)) by mount

It is actually a good practice to use index and sourcetype in your base search (even better if you can create a Knowledge Object as eventtype or macro for better maintenance and re-usability)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

damonmanni
Path Finder
‎06-15-2017 02:00 PM

Excellent suggestion niketnilay. I added index=os to the panel and they now can view it. I had no idea to think about perms/indexes relationship.

Thank you for the quick response.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-15-2017 06:23 PM

@damonmanni, I a glad it worked, do consider creating eventtype or macro for your base search with index and sourcetype (also with host and source as per your original search query).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...