Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

403 error following saved-search link

grahampoulter
Path Finder
‎06-27-2011 07:19 AM

An unprivileged user following the "Link to results" for the scheduled search email globally-shared saved search on Splunk 4.2 (Windows x64) that was created by admin results in a 403 error, but replacing the @go in the URL with "flashtimeline" shows the results.

Steps to reproduce:

  • Create a saved search from admin role, schedule it, and share with app or globally. That is, give read permission for Everyone.
  • Follow the "Link to Results" in the scheduled email, logging in as unprivileged User: Link to results: http://example.com:8000/app/search/@go? sid=scheduler__admin__search_TGl2ZSBXTUkgU1FMIEV4Y2VwdGlvbnM_at_1309182600_34add1b3a8f9c6a6
  • Receive 403 error >AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; None`

If you replace the @go in the link with "flashtimeline", there is no 403 error and the search results display.

Alternatively, if you log in as an admin role instead of a user role, there is no 403 error and search results display.

I think there is a bug in the handling of the the @go part of the URL, causing a 403 response to users who are not admin or owner of the saved search, despite global sharing with "Everyone".

Related to Q10946

The user role already has the rest_properties_get capability.

Reply
1 Solution
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎07-07-2011 08:21 AM

this is a known issue in at least 4.2.2, filed as SPL-40451. as you note, the workaround (until a fix is included in a maintenance release) is to change .../@go?sid=.... to .../flashtimeline?sid=... in the URL within the email.

View solution in original post

Reply
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎07-07-2011 08:21 AM

this is a known issue in at least 4.2.2, filed as SPL-40451. as you note, the workaround (until a fix is included in a maintenance release) is to change .../@go?sid=.... to .../flashtimeline?sid=... in the URL within the email.

Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...