Hello.
Running 6.6 (paid license) with LDAP authentication. I need to use my own email in a Report. I built a complex search that works, but once it is run as a Report the "| rest" call returns empty. So I tried to save a simpler search:
| rest /services/authentication/current-context | fields + email
When I run it in the free search it returns my address. When I run the Report it returns no data.
Is there something that prevents rest calls in saved searches? Is it a problem with permissions? (but in the simplest test case I am using my own account).
Help.
Could be some funky issue with reports. Have you tried just using this search on the dashboard to set a token?
Could be some funky issue with reports. Have you tried just using this search on the dashboard to set a token?
Indeed, looks like an issue with reports. I inserted the full search query into a dashboard panel, gave it full visibility and it finally worked. I tested with three different users. Solved.
Additional info. The big plan is to allow any user to authenticate on Splunk and see a read-only dashboard with an analysis of her/his operations as found in indexed logs (such as Country of last access, incoming/outgoing email/antispam statistics, ...). I need to determine their email address automatically and I think there's no other way than the REST call to current-context.
i'm unaware of any permissions/capabilities that would cause this issue. i just ran a super simple search and saved as a report and it seems to work for me, however.
|makeresults|eval data="testdata"|appendcols [| rest /services/authentication/current-context |fields email]
who owns the report? the report (and therefore the rest) will run as the owner of the report, i believe.
The search is owned by me. I modified as shown
It works in the last configuration if I login as "admin", and admin's email address is shown. But not for other logins.
As admin I tried to share the report to all Apps (Global), same behavior: for normal users the saved search returns nothing.
The "Inspect > Search log" for a working and a non-working case is the same.