Getting Data In

Search results for a sourcetype are null for a certain user. Where should I check the permissions?

johnraftery
Communicator

We are using two different user accounts: the defult admin account, and one we have created called "consultant", which is restricted.

When running this search:

eventtype=x sourcetype=y host=z | where NOT isnull(ACTION_MX_TIMING) | table ACTION_MX_TIMING

There are many results when running as admin, but none when running as consultant - all results are null.

Where should I check the permissions? In Manager » Access controls » Roles, they both have identical settings for "Indexes searched by default", and for "Indexes" (the two boxes at the bottom of the screen).

Thanks,
John

0 Karma

chimell
Motivator

Hi
go to

settings-->Eventtype
in app context dropdown select All , in Owner dropdown select consultant and see if you have x eventtype in the result

0 Karma

johnraftery
Communicator

Hi, thanks for your answer, but my admin role has to be the owner of the eventtypes (you can only have one owner). I've given the consultant role read and write permission for the eventtype, but they still can't see any results.

0 Karma

vasildavid
Path Finder

I would make sure that the 'consultant' user has permissions to view whatever App context the 'eventtype' was created in. To explain in more detail, the 'admin' user probably has read/write permissions for that Splunk App, but 'consultant' does not, so when they use 'eventtype=x' they don't have access to that knowledge object and the search provides no results.

0 Karma

johnraftery
Communicator

Thanks. In Settings->Event types->[my eventtype], admin has read/write access, and "Everyone" (which includes consultant role) has read access. So it should work, no? Or are you thinking of a different settings page?

0 Karma

chimell
Motivator

In eventtype give read/write access to admin and consultant roles .if it don't works ,verify consultant capabilities and her restrictions . Verify also the priority

0 Karma

johnraftery
Communicator

Ok, I've given eventtype read/write access to consultant, and that didn't work. Can you please tell me how to verify the other things? Which screen should I use?

0 Karma

somesoni2
Revered Legend

Since you've two roles, check the permission on the eventtype (settings->Event types-> x) to see if your consultant role has permission or not.

johnraftery
Communicator

Thanks. In Settings->Event types->[my eventtype], admin has read/write access, and "Everyone" (which includes consultant role) has read access. So it should work, no?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!