Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Empty results from rest call in Report

felipetesta
Path Finder
‎06-21-2017 02:03 AM

Hello.
Running 6.6 (paid license) with LDAP authentication. I need to use my own email in a Report. I built a complex search that works, but once it is run as a Report the "| rest" call returns empty. So I tried to save a simpler search:

| rest /services/authentication/current-context | fields + email

When I run it in the free search it returns my address. When I run the Report it returns no data.

Is there something that prevents rest calls in saved searches? Is it a problem with permissions? (but in the simplest test case I am using my own account).

Help.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎06-22-2017 05:12 AM

Could be some funky issue with reports. Have you tried just using this search on the dashboard to set a token?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎06-22-2017 05:12 AM

Could be some funky issue with reports. Have you tried just using this search on the dashboard to set a token?

0 Karma
Reply
Solved! Jump to solution

felipetesta
Path Finder
‎06-23-2017 07:27 AM

Indeed, looks like an issue with reports. I inserted the full search query into a dashboard panel, gave it full visibility and it finally worked. I tested with three different users. Solved.

0 Karma
Reply
Solved! Jump to solution

felipetesta
Path Finder
‎06-21-2017 02:31 AM

Additional info. The big plan is to allow any user to authenticate on Splunk and see a read-only dashboard with an analysis of her/his operations as found in indexed logs (such as Country of last access, incoming/outgoing email/antispam statistics, ...). I need to determine their email address automatically and I think there's no other way than the REST call to current-context.

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎06-21-2017 10:57 AM

i'm unaware of any permissions/capabilities that would cause this issue. i just ran a super simple search and saved as a report and it seems to work for me, however.
|makeresults|eval data="testdata"|appendcols [| rest /services/authentication/current-context |fields email]

who owns the report? the report (and therefore the rest) will run as the owner of the report, i believe.

0 Karma
Reply
Solved! Jump to solution

felipetesta
Path Finder
‎06-22-2017 03:07 AM

The search is owned by me. I modified as shown

  • Show to Owner: works for owner, others don't see it.
  • Shared to App, runs as Owner, All R&W: works for owner, others see it amongst Searches but shows no email.
  • Shared to App, run as User, All R&W: works for owner, others see it amongst Searches but shows no email.

It works in the last configuration if I login as "admin", and admin's email address is shown. But not for other logins.

As admin I tried to share the report to all Apps (Global), same behavior: for normal users the saved search returns nothing.

The "Inspect > Search log" for a working and a non-working case is the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...