Getting Data In

Search not coming upwith results for new hosts for non-admins

jdibble
Explorer

We've recently changed out our servers and when I use the searches against these new hosts using my user I am not getting the log results like I was with the old servers. We are definitely getting the log data but my user just can't access it. However, the admin user is getting the results. Furthermore any searches that are owned by my user do not get the results when they send out scheduled e-mail alerts, but the ones owned by the admin user do get results.

Is there a setting somewhere for these new hosts that I need to change?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Possibilities:

  • You have different allowed indexes or default indexes
  • Your search depends on fields/field extractions/other objects that are either private or in an app that is not accessible to the user.
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

you could look for any "Private" items owned by "admin" in the Manager GUI, perhaps under the "All Configurations" section.

0 Karma

jdibble
Explorer

How would I go about checking the second one?

0 Karma

kristian_kolb
Ultra Champion

good point on the second one /k

0 Karma

kristian_kolb
Ultra Champion

Does your ordinary user role have the right to access the index where the events get stored?

Have a look under

manager -> access controls -> roles -> <your_user_role>

Near the bottom of the page are the two settings for "indexes searched by default" and "indexes".

There may also be "search restrictions" added for that user role, see the top of the page, just under "default application".

UPDATE:
The interesting thing is whether there is a difference between what indexes the admin role and your ordinary user role has access to. If the access rights are the same, are the same indexes searched by default? Also, are there any search restrictions for your ordinary user role (usually there are no restrictions on placed on the admin role).

Hope this helps,

Kristian

0 Karma

jdibble
Explorer

In regards to your update, as I said before I had tried removing my additional user roles so that my user only has the admin user role. (which the actual admin user has)

0 Karma

jdibble
Explorer

I tried that and found that my user does have the admin user role. I had a couple of other user roles as well and tried removing them, logging out and back in, and searching again but the results are the same.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...