Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

403 error following saved-search link

grahampoulter
Path Finder
‎06-27-2011 07:19 AM

An unprivileged user following the "Link to results" for the scheduled search email globally-shared saved search on Splunk 4.2 (Windows x64) that was created by admin results in a 403 error, but replacing the @go in the URL with "flashtimeline" shows the results.

Steps to reproduce:

  • Create a saved search from admin role, schedule it, and share with app or globally. That is, give read permission for Everyone.
  • Follow the "Link to Results" in the scheduled email, logging in as unprivileged User: Link to results: http://example.com:8000/app/search/@go? sid=scheduler__admin__search_TGl2ZSBXTUkgU1FMIEV4Y2VwdGlvbnM_at_1309182600_34add1b3a8f9c6a6
  • Receive 403 error >AuthorizationFailed: [HTTP 403] Client is not authorized to perform requested action; None`

If you replace the @go in the link with "flashtimeline", there is no 403 error and the search results display.

Alternatively, if you log in as an admin role instead of a user role, there is no 403 error and search results display.

I think there is a bug in the handling of the the @go part of the URL, causing a 403 response to users who are not admin or owner of the saved search, despite global sharing with "Everyone".

Related to Q10946

The user role already has the rest_properties_get capability.

Reply
1 Solution
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎07-07-2011 08:21 AM

this is a known issue in at least 4.2.2, filed as SPL-40451. as you note, the workaround (until a fix is included in a maintenance release) is to change .../@go?sid=.... to .../flashtimeline?sid=... in the URL within the email.

View solution in original post

Reply
Solved! Jump to solution
Solution

piebob
Splunk Employee
Splunk Employee
‎07-07-2011 08:21 AM

this is a known issue in at least 4.2.2, filed as SPL-40451. as you note, the workaround (until a fix is included in a maintenance release) is to change .../@go?sid=.... to .../flashtimeline?sid=... in the URL within the email.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...