Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Empty results from rest call in Report
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
Running 6.6 (paid license) with LDAP authentication. I need to use my own email in a Report. I built a complex search that works, but once it is run as a Report the "| rest" call returns empty. So I tried to save a simpler search:
| rest /services/authentication/current-context | fields + email
When I run it in the free search it returns my address. When I run the Report it returns no data.
Is there something that prevents rest calls in saved searches? Is it a problem with permissions? (but in the simplest test case I am using my own account).
Help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could be some funky issue with reports. Have you tried just using this search on the dashboard to set a token?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could be some funky issue with reports. Have you tried just using this search on the dashboard to set a token?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indeed, looks like an issue with reports. I inserted the full search query into a dashboard panel, gave it full visibility and it finally worked. I tested with three different users. Solved.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Additional info. The big plan is to allow any user to authenticate on Splunk and see a read-only dashboard with an analysis of her/his operations as found in indexed logs (such as Country of last access, incoming/outgoing email/antispam statistics, ...). I need to determine their email address automatically and I think there's no other way than the REST call to current-context.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i'm unaware of any permissions/capabilities that would cause this issue. i just ran a super simple search and saved as a report and it seems to work for me, however.
|makeresults|eval data="testdata"|appendcols [| rest /services/authentication/current-context |fields email]
who owns the report? the report (and therefore the rest) will run as the owner of the report, i believe.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The search is owned by me. I modified as shown
- Show to Owner: works for owner, others don't see it.
- Shared to App, runs as Owner, All R&W: works for owner, others see it amongst Searches but shows no email.
- Shared to App, run as User, All R&W: works for owner, others see it amongst Searches but shows no email.
It works in the last configuration if I login as "admin", and admin's email address is shown. But not for other logins.
As admin I tried to share the report to all Apps (Global), same behavior: for normal users the saved search returns nothing.
The "Inspect > Search log" for a working and a non-working case is the same.
Reduce and Transform Your Firewall Data with Splunk Data Management
Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...
Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions
