Dashboards & Visualizations

What is the issue with users unable to see the dashboards irrespective of permissions / roles enabled?

DineshRaja
Loves-to-Learn Everything

Hi All, 
we have few dashboards which are using summary indexes to populate data. Few users reported that they are unable to see any values when they access respective dashboards (Issue is reproducible as well).  However, when I logged in admin user the dashboards are just working fine & values are up to date.

I have validated the roles assigned (authorize.conf) and it seems good and have access to summary indexes. 
[role_example_user]
srchIndexesAllowed = example_index;example_index2;summary_index1;summary_index2
srchMaxTime = 144000
importRoles = default_user

Also, validated default.meta configs and respective role has read access to the saved searches, views etc.

[savedsearches/summary_index1]
access = read : [ admin, role_example_user ], write : [ ]
export = none
owner = test_user

Still users with respective roles can't see anything on dashboards. 
Please let me know how I can fix this issue. 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What results do the users get when they open the dashboard search separately?

0 Karma

DineshRaja
Loves-to-Learn Everything

It's always returning zero events as results (0/0) when running with user account. But When I execute same search with Admin account results are having numbers which is expected result ( e.g: 1234/10000).

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK one final guess, then you may have to give us more information, such as details of the search which is failing!

Does the search contain lookups or macros?

0 Karma

DineshRaja
Loves-to-Learn Everything

Dashboard query :

index="summary_index1" "search_name=summary_index1*" | eval SLR01 = if((duration>1.8 OR duration=0),"Breached","Not Breached") | where LC>1|dedup isoClearSysRef |stats count(eval(SLR01="Breached")) as Transaction_Count, count(SLR01) As Total_Transaction_Count|eval CountStatus= Transaction_Count+"/"+Total_Transaction_Count| table CountStatus

Results = CountStatus 0/0


Savedsearch for "summary_index1*"
index="test_index1" sourcetype="test_sourcetype" queueName=queue1 OR queueName=queue2 OR queueName= queue3 | rename isoMsgDefId as MD, queueName as QN | eval MD1=split(MD,"."), QN1=split(QN,"."), MD2=mvindex(MD1,0), MD3=mvindex(MD1,1) ,QN2=mvindex(QN1,5), pacs=MD2+MD3, ID4= coalesce(isoInstructionId,isoOriginalInstructionId)| sort 0 timeStamp | dedup isoClearSysRef pacs sortby +_time| search NOT (pacs="pain001" OR pacs="pain002") | eval Time=strftime(timeStamp,"%m/%d/%Y %H:%M:%S.%Q")| transaction isoClearSysRef keepevicted=true | streamstats count by QN2 | where linecount>1 | eval "OLA Status" = if((duration>1.3 OR linecount<2),"Breached","Not Breached") | rename isoClearSysRef as PaymentID pacs as "Exit/Entry" duration as "OLA (sec)", QN as queueName, timeStamp as "Time Stamp" ID4 as "isoInstructionID" | table "Time Stamp" queueName "Exit/Entry" "OLA (sec)" "OLA Status" PaymentID isoInstructionID | search NOT [search index=summary_index1 search_name=summary_index1| table "OLA (sec)" "OLA Status" PaymentID isoInstructionID ] | collect index=summary_index1 marker="search_name=summary_index1"

Results = No results to summary index.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DineshRaja,

in your dashboard, are you using some knowledhe object as an eventtype or a tag or some field used in the search?

probably yes, so check the permissions of all these objects and enable the roles you're using.

Ciao.

Giuseppe

0 Karma

DineshRaja
Loves-to-Learn Everything

Hi @gcusello 
Thanks for the response. there are no event types / tags or other knowledge objects used in search. The search is using summary index & a saved search to populate data. The user role has read access to both.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DineshRaja,

could you share the savedsearch ?

Ciao.

Giuseppe

0 Karma

DineshRaja
Loves-to-Learn Everything

Hi @gcusello 

Here are the searches:

Dashboard query :

index="summary_index1" "search_name=summary_index1*" | eval SLR01 = if((duration>1.8 OR duration=0),"Breached","Not Breached") | where LC>1|dedup isoClearSysRef |stats count(eval(SLR01="Breached")) as Transaction_Count, count(SLR01) As Total_Transaction_Count|eval CountStatus= Transaction_Count+"/"+Total_Transaction_Count| table CountStatus

Results = CountStatus 0/0


Savedsearch for "summary_index1*"
index="test_index1" sourcetype="test_sourcetype" queueName=queue1 OR queueName=queue2 OR queueName= queue3 | rename isoMsgDefId as MD, queueName as QN | eval MD1=split(MD,"."), QN1=split(QN,"."), MD2=mvindex(MD1,0), MD3=mvindex(MD1,1) ,QN2=mvindex(QN1,5), pacs=MD2+MD3, ID4= coalesce(isoInstructionId,isoOriginalInstructionId)| sort 0 timeStamp | dedup isoClearSysRef pacs sortby +_time| search NOT (pacs="pain001" OR pacs="pain002") | eval Time=strftime(timeStamp,"%m/%d/%Y %H:%M:%S.%Q")| transaction isoClearSysRef keepevicted=true | streamstats count by QN2 | where linecount>1 | eval "OLA Status" = if((duration>1.3 OR linecount<2),"Breached","Not Breached") | rename isoClearSysRef as PaymentID pacs as "Exit/Entry" duration as "OLA (sec)", QN as queueName, timeStamp as "Time Stamp" ID4 as "isoInstructionID" | table "Time Stamp" queueName "Exit/Entry" "OLA (sec)" "OLA Status" PaymentID isoInstructionID | search NOT [search index=summary_index1 search_name=summary_index1| table "OLA (sec)" "OLA Status" PaymentID isoInstructionID ] | collect index=summary_index1 marker="search_name=summary_index1"

Results = No results to summary index.

Also, I have been seeing below messages on SHC:

Received event for unconfigured/disabled/deleted index=summary_index5 with source="source::sourcexxx" host="host:xxx" sourcetype="sourcetype::stash". So far received events from 7 missing index(es).

Is it something related to this issue?
note: the index configurations are available on indexers.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DineshRaja,

only one additional question: does your search run with another user?

because I see in the generating search the you save in the summary index the following fields:

| table "Time Stamp" queueName "Exit/Entry" "OLA (sec)" "OLA Status" PaymentID isoInstructionID

but in the dashboard search you call other fields not present in the summary index: duration, LC, isoClearSysRef; you shouldn't have them!

at least, why do you use quote for the main search of you dashboard?

"search_name=summary_index1*"

In this way you search as a string not as a field.

Start you debugging from this second item and then modify the generating search.

Ciao.

Giuseppe

0 Karma

DineshRaja
Loves-to-Learn Everything

Hi @gcusello 
Thanks for the info. I don't know the exact logic behind the search or dashboard as they were created by Dev team. 
As an Admin I need to resolve the issue why users are unable to see the values in dashboards. Also, as updated in my previous comments, the search is running perfectly fine & fetching the results as per requirement when I logged in as admin user. 

0 Karma

DineshRaja
Loves-to-Learn Everything

Hi @gcusello 
Could you please help with your inputs if possible ?
Just looking out for some sort of help.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DineshRaja,

let me summarize the issue:

  • you have a scheduled search that saves in an index (called summary_index1 ) the following fields: "Time Stamp" queueName "Exit/Entry" "OLA (sec)" "OLA Status" PaymentID isoInstructionID,
  • if you run the above search, you see the results, but when you add the collect command, the first search doesn't give any result;

the question is: do you see events in the summary index running only the main search (index="summary_index1" "search_name=summary_index1*" )?

If yes, you have to debug the search on the summary index, because probably the error is in the coditions of this search.

if not you have to debug the scheduled search because the problem is in the collect command (if you have results without the collect command) or in the conditions (if you haven't results without the collect command).

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...