Solved: User cannot display my dashboard. Is it a permiss...

damonmanni · ‎06-15-2017

I have created a dashboard that displays:

panel-1: the disk usage of several mount points of two Linux servers in a simple line chart
panel-2: The prediction date of when disk space may run out if current trending continues as in panel-1.

This works fine when I run it as admin, but when a basic user runs the dashboard, they only see:
- Part of the top of the dashboard page (the Title, the radio buttons, and a caption)
- then "no results found"

Background:
- splunk v6.4.1
- I check a ton of docs, cannot zero in on issue.
- I tried various perm settings nothing works
- I don't know how to include an screenshot image of users results. I tried image?!...path... but no luck
- Could this be b/c I selected "inline search" instead of convert to report?

Perms settings for dashboard are set as:
- Owner= admin
- App = search
- Display for = all apps
- I selected clone to inline search
- I setup perms to be:
Everyone=Read
admin= write

Xml used:

      Ray NFS Server Dashboard
      
      
        
          Disk Usage
          
            
            Last 30 Days
            Last 60 Days
            Last 90 Days
            Last 180 Days
            30
            30
          
          
            Over last $days$ days
            
              host=mdc4vr1110 OR host=mdc4vr1111 source=df sourcetype=df mount="/*com*" | timechart eval(round((avg(storage_used)/1024/1024/1024/1024),2)) by mount
              -$days$d@d
              now
            
            ellipsisNone
            45
            visible
            visible
            visible
            linear
            linear
            0
            inherit
            line
            50
            10
            area
            gaps
            minmax
            0.01
            default
            shiny
            all
            0
            0
            ellipsisEnd
            left
            Time
            Terabytes
            value
            none
            0
            1
            1
            standard
            absolute
            after
            0
            1
            true
            false
            none
            1
            0
            20
          
        
      
      
        
          Disk Capacity Forecast
          
            
              host=mdc4vr1110 OR host=mdc4vr1111 source=df sourcetype=df mount="/*com*" | eval sutbs=(storage_used/1024/1024/1024/1024) | eval sutbsrnd=round(sutbs,2) | eventstats avg(sutbsrnd) AS sutbsavg by mount |fields _time storage_used sutbs sutbsrnd sutbsavg mount | timechart avg(sutbsrnd)| predict avg(sutbsrnd) future_timespan=$days$  algorithm=LLP5 | sort-_time |head 1 | eval predicted_date_epoch=_time | eval timenow_epoch=now() | eval days_remaining_epoch=predicted_date_epoch-timenow_epoch | eval days_remaining=strftime(days_remaining_epoch,"%d") |timechart sum(days_remaining)
              -$days$d@d
              now
            
            0
            1
            after
            -1y
            absolute
            standard
            0
            0
            [7,14,21,30]
            ["0xd93f3c","0xf7bc38","0x6db7c6","0x65a637","0x65a637"]
            0
            none
            block
            value
            search
            DAYS OF DISK SPACE REMAINING

woodcock · ‎06-15-2017

You are following very bad practices in your search. You should ALWAYS specify index and sourcetype. If you fix this, probably it will just work. Your admin user probably has all indexes set for indexes searched by default and your other users have nothing for that value. If this is not it, then you need to give the other users permissions to search against the target index values.

View solution in original post

woodcock · ‎06-15-2017

You are following very bad practices in your search. You should ALWAYS specify index and sourcetype. If you fix this, probably it will just work. Your admin user probably has all indexes set for indexes searched by default and your other users have nothing for that value. If this is not it, then you need to give the other users permissions to search against the target index values.

damonmanni · ‎06-15-2017

Thank you also sir! Yep got that same advice from niketnilay earlier. It did solve my problem.

kmorris_splunk · ‎06-15-2017

What are the permissions on the dashboard? Owner, App, or All Apps?

newbie2tech · ‎06-15-2017

check if the user has access to the indexes involved in the searches

gmchenry · ‎06-15-2017

Are you both using the same make/model/version web browser?

damonmanni · ‎06-15-2017

Myself and all users use: IE v11.9

niketn · ‎06-15-2017

@damonmanni add index to your base search query ( like index=abc etc) . Users might not have access to search the required index by default but admin may have that access.

In order to confirm you can ask users to run the following query with days hard coded in the base search ( I have used 30 days):

host=mdc4vr1110 OR host=mdc4vr1111 source=df sourcetype=df mount="/*com*" earliest=-30d@d latest=now
| timechart eval(round((avg(storage_used)/1024/1024/1024/1024),2)) by mount

It is actually a good practice to use index and sourcetype in your base search (even better if you can create a Knowledge Object as eventtype or macro for better maintenance and re-usability)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

damonmanni · ‎06-15-2017

Excellent suggestion niketnilay. I added index=os to the panel and they now can view it. I had no idea to think about perms/indexes relationship.

Thank you for the quick response.

niketn · ‎06-15-2017

@damonmanni, I a glad it worked, do consider creating eventtype or macro for your base search with index and sourcetype (also with host and source as per your original search query).

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

User cannot display my dashboard. Is it a permission problem?

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake