Getting Data In
Highlighted

Search results for a sourcetype are null for a certain user. Where should I check the permissions?

Communicator

We are using two different user accounts: the defult admin account, and one we have created called "consultant", which is restricted.

When running this search:

eventtype=x sourcetype=y host=z | where NOT isnull(ACTION_MX_TIMING) | table ACTION_MX_TIMING

There are many results when running as admin, but none when running as consultant - all results are null.

Where should I check the permissions? In Manager » Access controls » Roles, they both have identical settings for "Indexes searched by default", and for "Indexes" (the two boxes at the bottom of the screen).

Thanks,
John

0 Karma
Highlighted

Re: Search results for a sourcetype are null for a certain user. Where should I check the permissions?

SplunkTrust
SplunkTrust

Since you've two roles, check the permission on the eventtype (settings->Event types-> x) to see if your consultant role has permission or not.

Highlighted

Re: Search results for a sourcetype are null for a certain user. Where should I check the permissions?

Communicator

Thanks. In Settings->Event types->[my eventtype], admin has read/write access, and "Everyone" (which includes consultant role) has read access. So it should work, no?

0 Karma
Highlighted

Re: Search results for a sourcetype are null for a certain user. Where should I check the permissions?

Path Finder

I would make sure that the 'consultant' user has permissions to view whatever App context the 'eventtype' was created in. To explain in more detail, the 'admin' user probably has read/write permissions for that Splunk App, but 'consultant' does not, so when they use 'eventtype=x' they don't have access to that knowledge object and the search provides no results.

0 Karma
Highlighted

Re: Search results for a sourcetype are null for a certain user. Where should I check the permissions?

Communicator

Thanks. In Settings->Event types->[my eventtype], admin has read/write access, and "Everyone" (which includes consultant role) has read access. So it should work, no? Or are you thinking of a different settings page?

0 Karma
Highlighted

Re: Search results for a sourcetype are null for a certain user. Where should I check the permissions?

Motivator

In eventtype give read/write access to admin and consultant roles .if it don't works ,verify consultant capabilities and her restrictions . Verify also the priority

0 Karma
Highlighted

Re: Search results for a sourcetype are null for a certain user. Where should I check the permissions?

Communicator

Ok, I've given eventtype read/write access to consultant, and that didn't work. Can you please tell me how to verify the other things? Which screen should I use?

0 Karma
Highlighted

Re: Search results for a sourcetype are null for a certain user. Where should I check the permissions?

Motivator

Hi
go to

settings-->Eventtype
in app context dropdown select All , in Owner dropdown select consultant and see if you have x eventtype in the result

0 Karma
Highlighted

Re: Search results for a sourcetype are null for a certain user. Where should I check the permissions?

Communicator

Hi, thanks for your answer, but my admin role has to be the owner of the eventtypes (you can only have one owner). I've given the consultant role read and write permission for the eventtype, but they still can't see any results.

0 Karma