We are using two different user accounts: the defult admin account, and one we have created called "consultant", which is restricted.
When running this search:
eventtype=x sourcetype=y host=z | where NOT isnull(ACTION_MX_TIMING) | table ACTION_MX_TIMING
There are many results when running as admin, but none when running as consultant - all results are null.
Where should I check the permissions? In Manager » Access controls » Roles, they both have identical settings for "Indexes searched by default", and for "Indexes" (the two boxes at the bottom of the screen).
Thanks,
John
Hi
go to
settings-->Eventtype
in app context dropdown select All , in Owner dropdown select consultant and see if you have x eventtype in the result
Hi, thanks for your answer, but my admin role has to be the owner of the eventtypes (you can only have one owner). I've given the consultant role read and write permission for the eventtype, but they still can't see any results.
I would make sure that the 'consultant' user has permissions to view whatever App context the 'eventtype' was created in. To explain in more detail, the 'admin' user probably has read/write permissions for that Splunk App, but 'consultant' does not, so when they use 'eventtype=x' they don't have access to that knowledge object and the search provides no results.
Thanks. In Settings->Event types->[my eventtype], admin has read/write access, and "Everyone" (which includes consultant role) has read access. So it should work, no? Or are you thinking of a different settings page?
In eventtype give read/write access to admin and consultant roles .if it don't works ,verify consultant capabilities and her restrictions . Verify also the priority
Ok, I've given eventtype read/write access to consultant, and that didn't work. Can you please tell me how to verify the other things? Which screen should I use?
Since you've two roles, check the permission on the eventtype (settings->Event types-> x) to see if your consultant role has permission or not.
Thanks. In Settings->Event types->[my eventtype], admin has read/write access, and "Everyone" (which includes consultant role) has read access. So it should work, no?