When accessing recent runs of searches by link in the form of:
Example: user john doe created the scheduled search and the link to get to it is as follows:
All users other than admin user and the user who scheduled the search are faced with this message following the link:
"The view you requested could not be found."
The access is made within the TTL (since it works for john doe) and I think I have full read rights on all that has tried accessing the search.
I have until now not found an answer to this and I think this appeared when upgrading from 6.2.x to 6.3.0 recently.
Thanks in advance!
I found the answer myself!
In accordance to http://docs.splunk.com/Documentation/Splunk/6.3.1/Report/Schedulereports the results.url is now deprecated and and reccomends use of results_link instead.
Don't know if this should have been taken care of by the migration or what but alert_actions.conf still says that the $results.url$ are passed to scripts etc.
So if anyone else has a problem with this, change results.url to results_link and it'll work.
I can totally reproduce this bug.
1) using Splunk 6.3.1 have an Admin user create a savedsearch/alert.
2) Change the permissions on the saved search so that all can read and you can put the app in "All Apps".
3) Modify search to send mail to a Power user and an Admin user
4) The Admin user can see the content. The Power user will get "The view you requested could not be found."
I opened a case yesterday with Splunk about this. I believe also that it used to work and is likely a 6.2->6.3 bug.
have not yet got this to work properly by adding the "command " in all stanzas the splunk/etc/system/local/alert_action.conf. still default says $results.url$.
Reporting here when i have something working in case anyone else has the same problem