Reporting

How to run a savedsearch with the owner permission?

Contributor

Hello,

I am creating a dashboard with a saved search and I want it to run with the owner permission.

Using the following works:

<table>
        <title>test with owner perm</title>
        <search ref="test"></search>
        ...
</table>

But the following doesn't:

<table>
        <title>bla bla</title>
        <search>
          <query>| savedsearch test</query>
        </search>
</table>

Unfortunately, I need to use the "savedsearch" command in order to map a token in my savedsearch. But using "savedsearch", the search is ran as the user, not the owner.

Any idea?

Labels (1)
1 Solution

SplunkTrust
SplunkTrust

When you use the <search ref=".., it basically loads the run the Report itself and the user under which it'll run be decided by how it was setup (to run as owner OR run as user). You can't change the Report search or time range.

When you use the | savedsearch reportname command, it basically replaces the query of the report their itself and runs as regular query. All regular query run from the account running it so, if you're looking to run a report (parameterized) from a dashboard to run as owner instead of current user, it's not possible currently.

Workaround may be possible if you can remove the token/parameter from the query to load all results, and use post process to filter results in dashboard, but again it'll depend on your query if that is possible.

View solution in original post

0 Karma

Explorer

Just ran into this as well. Having to use the ref instead of |savedsearch means I'll be pulling in quite a bit more data and then using the input of dashboard panel to filter.

ref -> can't pass variables/tokens but can run as owner of saved search
|savedsearch -> can't run as owner of saved search when passing variables/tokens

0 Karma

SplunkTrust
SplunkTrust

When you use the <search ref=".., it basically loads the run the Report itself and the user under which it'll run be decided by how it was setup (to run as owner OR run as user). You can't change the Report search or time range.

When you use the | savedsearch reportname command, it basically replaces the query of the report their itself and runs as regular query. All regular query run from the account running it so, if you're looking to run a report (parameterized) from a dashboard to run as owner instead of current user, it's not possible currently.

Workaround may be possible if you can remove the token/parameter from the query to load all results, and use post process to filter results in dashboard, but again it'll depend on your query if that is possible.

View solution in original post

0 Karma

Contributor

Thank you. I think I'll try to filter with a post process search.

0 Karma

Motivator

craf,

I am not exactly sure this is the answer to what you want but it ensures that the job returns results as the owner of the search.

| loadjob savedsearch="admin:search:MySavedSearch"

Now, this only works with scheduled saved searches and returns the results of the latest run search. https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Loadjob

0 Karma

Contributor

Thank you for your answer, but it's not what I'd like since it's for a search in an dashboard with potential filters (inputs, dropdown, ...) that will change my search.

0 Karma

Contributor

Please, anyone ? 🙂

0 Karma

Legend

which version splunk?

0 Karma

Contributor

6.3.3. Is there a new version that allows to do it?

0 Karma

Legend

I know in 6.4 you can select run as owner vs user (may have been introduced in 6.3). Having said that, the default is owner.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Report/Createandeditreports

0 Karma

Contributor

Thank you but it already exists in 6.3:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Report/Createandeditreports

It's what I am using in my first example ()

0 Karma