Re: Users unable to see the dashboards irrespectiv...

DineshRaja · ‎11-15-2022

Hi All,
we have few dashboards which are using summary indexes to populate data. Few users reported that they are unable to see any values when they access respective dashboards (Issue is reproducible as well). However, when I logged in admin user the dashboards are just working fine & values are up to date.

I have validated the roles assigned (authorize.conf) and it seems good and have access to summary indexes.
[role_example_user]
srchIndexesAllowed = example_index;example_index2;summary_index1;summary_index2
srchMaxTime = 144000
importRoles = default_user

Also, validated default.meta configs and respective role has read access to the saved searches, views etc.

[savedsearches/summary_index1]
access = read : [ admin, role_example_user ], write : [ ]
export = none
owner = test_user

Still users with respective roles can't see anything on dashboards.
Please let me know how I can fix this issue.

ITWhisperer · ‎11-15-2022

What results do the users get when they open the dashboard search separately?

DineshRaja · ‎11-16-2022

It's always returning zero events as results (0/0) when running with user account. But When I execute same search with Admin account results are having numbers which is expected result ( e.g: 1234/10000).

ITWhisperer · ‎11-16-2022

OK one final guess, then you may have to give us more information, such as details of the search which is failing!

Does the search contain lookups or macros?

DineshRaja · ‎11-17-2022

Dashboard query :

index="summary_index1" "search_name=summary_index1*" | eval SLR01 = if((duration>1.8 OR duration=0),"Breached","Not Breached") | where LC>1|dedup isoClearSysRef |stats count(eval(SLR01="Breached")) as Transaction_Count, count(SLR01) As Total_Transaction_Count|eval CountStatus= Transaction_Count+"/"+Total_Transaction_Count| table CountStatus

Results = CountStatus 0/0

Savedsearch for "summary_index1*"
index="test_index1" sourcetype="test_sourcetype" queueName=queue1 OR queueName=queue2 OR queueName= queue3 | rename isoMsgDefId as MD, queueName as QN | eval MD1=split(MD,"."), QN1=split(QN,"."), MD2=mvindex(MD1,0), MD3=mvindex(MD1,1) ,QN2=mvindex(QN1,5), pacs=MD2+MD3, ID4= coalesce(isoInstructionId,isoOriginalInstructionId)| sort 0 timeStamp | dedup isoClearSysRef pacs sortby +_time| search NOT (pacs="pain001" OR pacs="pain002") | eval Time=strftime(timeStamp,"%m/%d/%Y %H:%M:%S.%Q")| transaction isoClearSysRef keepevicted=true | streamstats count by QN2 | where linecount>1 | eval "OLA Status" = if((duration>1.3 OR linecount<2),"Breached","Not Breached") | rename isoClearSysRef as PaymentID pacs as "Exit/Entry" duration as "OLA (sec)", QN as queueName, timeStamp as "Time Stamp" ID4 as "isoInstructionID" | table "Time Stamp" queueName "Exit/Entry" "OLA (sec)" "OLA Status" PaymentID isoInstructionID | search NOT [search index=summary_index1 search_name=summary_index1| table "OLA (sec)" "OLA Status" PaymentID isoInstructionID ] | collect index=summary_index1 marker="search_name=summary_index1"

Results = No results to summary index.

gcusello · ‎11-15-2022

Hi @DineshRaja,

in your dashboard, are you using some knowledhe object as an eventtype or a tag or some field used in the search?

probably yes, so check the permissions of all these objects and enable the roles you're using.

Ciao.

Giuseppe

DineshRaja · ‎11-16-2022

Hi @gcusello
Thanks for the response. there are no event types / tags or other knowledge objects used in search. The search is using summary index & a saved search to populate data. The user role has read access to both.

gcusello · ‎11-16-2022

Hi @DineshRaja,

could you share the savedsearch ?

Ciao.

Giuseppe

DineshRaja · ‎11-17-2022

Hi @gcusello

Here are the searches:

Dashboard query :

index="summary_index1" "search_name=summary_index1*" | eval SLR01 = if((duration>1.8 OR duration=0),"Breached","Not Breached") | where LC>1|dedup isoClearSysRef |stats count(eval(SLR01="Breached")) as Transaction_Count, count(SLR01) As Total_Transaction_Count|eval CountStatus= Transaction_Count+"/"+Total_Transaction_Count| table CountStatus

Results = CountStatus 0/0

Savedsearch for "summary_index1*"
index="test_index1" sourcetype="test_sourcetype" queueName=queue1 OR queueName=queue2 OR queueName= queue3 | rename isoMsgDefId as MD, queueName as QN | eval MD1=split(MD,"."), QN1=split(QN,"."), MD2=mvindex(MD1,0), MD3=mvindex(MD1,1) ,QN2=mvindex(QN1,5), pacs=MD2+MD3, ID4= coalesce(isoInstructionId,isoOriginalInstructionId)| sort 0 timeStamp | dedup isoClearSysRef pacs sortby +_time| search NOT (pacs="pain001" OR pacs="pain002") | eval Time=strftime(timeStamp,"%m/%d/%Y %H:%M:%S.%Q")| transaction isoClearSysRef keepevicted=true | streamstats count by QN2 | where linecount>1 | eval "OLA Status" = if((duration>1.3 OR linecount<2),"Breached","Not Breached") | rename isoClearSysRef as PaymentID pacs as "Exit/Entry" duration as "OLA (sec)", QN as queueName, timeStamp as "Time Stamp" ID4 as "isoInstructionID" | table "Time Stamp" queueName "Exit/Entry" "OLA (sec)" "OLA Status" PaymentID isoInstructionID | search NOT [search index=summary_index1 search_name=summary_index1| table "OLA (sec)" "OLA Status" PaymentID isoInstructionID ] | collect index=summary_index1 marker="search_name=summary_index1"

Results = No results to summary index.

Also, I have been seeing below messages on SHC:

Received event for unconfigured/disabled/deleted index=summary_index5 with source="source::sourcexxx" host="host:xxx" sourcetype="sourcetype::stash". So far received events from 7 missing index(es).

Is it something related to this issue?
note: the index configurations are available on indexers.

gcusello · ‎11-17-2022

Hi @DineshRaja,

only one additional question: does your search run with another user?

because I see in the generating search the you save in the summary index the following fields:

| table "Time Stamp" queueName "Exit/Entry" "OLA (sec)" "OLA Status" PaymentID isoInstructionID

but in the dashboard search you call other fields not present in the summary index: duration, LC, isoClearSysRef; you shouldn't have them!

at least, why do you use quote for the main search of you dashboard?

"search_name=summary_index1*"

In this way you search as a string not as a field.

Start you debugging from this second item and then modify the generating search.

Ciao.

Giuseppe

DineshRaja · ‎11-20-2022

Hi @gcusello
Thanks for the info. I don't know the exact logic behind the search or dashboard as they were created by Dev team.
As an Admin I need to resolve the issue why users are unable to see the values in dashboards. Also, as updated in my previous comments, the search is running perfectly fine & fetching the results as per requirement when I logged in as admin user.

DineshRaja · ‎11-23-2022

Hi @gcusello
Could you please help with your inputs if possible ?
Just looking out for some sort of help.

gcusello · ‎11-23-2022

Hi @DineshRaja,

let me summarize the issue:

you have a scheduled search that saves in an index (called summary_index1 ) the following fields: "Time Stamp" queueName "Exit/Entry" "OLA (sec)" "OLA Status" PaymentID isoInstructionID,
if you run the above search, you see the results, but when you add the collect command, the first search doesn't give any result;

the question is: do you see events in the summary index running only the main search (index="summary_index1" "search_name=summary_index1*" )?

If yes, you have to debug the search on the summary index, because probably the error is in the coditions of this search.

if not you have to debug the scheduled search because the problem is in the collect command (if you have results without the collect command) or in the conditions (if you haven't results without the collect command).

Ciao.

Giuseppe

What is the issue with users unable to see the dashboards irrespective of permissions / roles enabled?

dashboard

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?