Reporting

After upgrading from Splunk 6.2.x to 6.3.0, why are scheduled searches by users not accessible to others? "The view you requested could not be found."

Explorer

Hi,

When accessing recent runs of searches by link in the form of:
http_//splunkserver/sv-SE/app/appname/@go?sid=scheduler_username_identifier-at-time

Example: user john doe created the scheduled search and the link to get to it is as follows:
http_//splunkserver.se/sv-SE/app/myapp/@go?sid=scheduler_johndoe_YXZhbnphLXN1cnZlaWxsYW5jZQ__RMD5f9dd4cd6d8829f68_at_1447675200_77841

All users other than admin user and the user who scheduled the search are faced with this message following the link:

"The view you requested could not be found."

The access is made within the TTL (since it works for john doe) and I think I have full read rights on all that has tried accessing the search.

I have until now not found an answer to this and I think this appeared when upgrading from 6.2.x to 6.3.0 recently.

Thanks in advance!
/Per

1 Solution

Splunk Employee
Splunk Employee

Looks like you are hitting a known bug (SPL-108433), which has been addressed in maintenance release 6.3.2 and higher:
http://docs.splunk.com/Documentation/Splunk/6.3.2/ReleaseNotes/6.3.2

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Looks like you are hitting a known bug (SPL-108433), which has been addressed in maintenance release 6.3.2 and higher:
http://docs.splunk.com/Documentation/Splunk/6.3.2/ReleaseNotes/6.3.2

View solution in original post

0 Karma

Explorer

I found the answer myself!

In accordance to http://docs.splunk.com/Documentation/Splunk/6.3.1/Report/Schedulereports the results.url is now deprecated and and reccomends use of results_link instead.

Don't know if this should have been taken care of by the migration or what but alert_actions.conf still says that the $results.url$ are passed to scripts etc.

So if anyone else has a problem with this, change results.url to results_link and it'll work.

Explorer

After more digging i find that I hit some 403 when getting the search under the hood.

0 Karma

Explorer

Was this ever resolved?

0 Karma

SplunkTrust
SplunkTrust

I can totally reproduce this bug.

1) using Splunk 6.3.1 have an Admin user create a savedsearch/alert.
2) Change the permissions on the saved search so that all can read and you can put the app in "All Apps".
3) Modify search to send mail to a Power user and an Admin user
4) The Admin user can see the content. The Power user will get "The view you requested could not be found."

I opened a case yesterday with Splunk about this. I believe also that it used to work and is likely a 6.2->6.3 bug.

0 Karma

SplunkTrust
SplunkTrust

Update: I tried on Splunk 6.3.2 and the problem is fixed.

0 Karma

Explorer

have not yet got this to work properly by adding the "command " in all stanzas the splunk/etc/system/local/alert_action.conf. still default says $results.url$.
Reporting here when i have something working in case anyone else has the same problem

0 Karma

Explorer

for some reason the $results_link$ and $results.url$ produce the same (non functioning) link.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!