Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

403 error following saved-search link

grahampoulter
Path Finder
‎06-27-2011 07:19 AM

An unprivileged user following the "Link to results" for the scheduled search email globally-shared saved search on Splunk 4.2 (Windows x64) that was created by admin results in a 403 error, but replacing the @go in the URL with "flashtimeline" shows the results.

Steps to reproduce:

  • Create a saved search from admin role, schedule it, and share with app or globally. That is, give read permission for Everyone.
  • Follow the "Link to Results" in the scheduled email, logging in as unprivileged User: Link to results: http://example.com:8000/app/search/@go? sid=scheduler__admin__search_TGl2ZSBXTUkgU1FMIEV4Y2VwdGlvbnM_at_1309182600_34add1b3a8f9c6a6
  • Receive 403 error >AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; None`

If you replace the @go in the link with "flashtimeline", there is no 403 error and the search results display.

Alternatively, if you log in as an admin role instead of a user role, there is no 403 error and search results display.

I think there is a bug in the handling of the the @go part of the URL, causing a 403 response to users who are not admin or owner of the saved search, despite global sharing with "Everyone".

Related to Q10946

The user role already has the rest_properties_get capability.

Reply
1 Solution
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎07-07-2011 08:21 AM

this is a known issue in at least 4.2.2, filed as SPL-40451. as you note, the workaround (until a fix is included in a maintenance release) is to change .../@go?sid=.... to .../flashtimeline?sid=... in the URL within the email.

View solution in original post

Reply
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎07-07-2011 08:21 AM

this is a known issue in at least 4.2.2, filed as SPL-40451. as you note, the workaround (until a fix is included in a maintenance release) is to change .../@go?sid=.... to .../flashtimeline?sid=... in the URL within the email.

Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...