We are using two different user accounts: the defult admin account, and one we have created called "consultant", which is restricted.
When running this search:
eventtype=x sourcetype=y host=z | where NOT isnull(ACTION_MX_TIMING) | table ACTION_MX_TIMING
There are many results when running as admin, but none when running as consultant - all results are null.
Where should I check the permissions? In Manager » Access controls » Roles, they both have identical settings for "Indexes searched by default", and for "Indexes" (the two boxes at the bottom of the screen).
Hi, thanks for your answer, but my admin role has to be the owner of the eventtypes (you can only have one owner). I've given the consultant role read and write permission for the eventtype, but they still can't see any results.
I would make sure that the 'consultant' user has permissions to view whatever App context the 'eventtype' was created in. To explain in more detail, the 'admin' user probably has read/write permissions for that Splunk App, but 'consultant' does not, so when they use 'eventtype=x' they don't have access to that knowledge object and the search provides no results.
Thanks. In Settings->Event types->[my eventtype], admin has read/write access, and "Everyone" (which includes consultant role) has read access. So it should work, no? Or are you thinking of a different settings page?