Hi all,
As an admin user, I am unable to see private dashboards and searches saved by some users. I know that a number of these exist, including some from users who have now left the company. What is the easiest way of cleaning up these objects?
I can confirm that the admin role has the 'admin_all_objects' capability.
Thanks in advance,
Alex
Hi alekksi
Verify if in your splunk instance Admin Role has all the following selected capabilities
accelerate_datamodel
admin_all_objects
change_authentication
edit_deployment_client
edit_deployment_server
edit_dist_peer
edit_forwarders
edit_httpauths
edit_input_defaults
edit_monitor
edit_roles
edit_scripted
edit_search_head_clustering
edit_search_scheduler
edit_search_server
edit_server
edit_splunktcp
edit_splunktcp_ssl
edit_tcp
edit_token_http
edit_udp
edit_user
edit_view_html
edit_web_settings
edit_win_admon
edit_win_eventlogs
edit_win_perfmon
edit_win_regmon
edit_win_wmiconf
get_diag
indexes_edit
license_edit
license_tab
list_deployment_client
list_deployment_server
list_forwarders
list_httpauths
list_pdfserver
list_search_head_clustering
list_search_scheduler
list_win_localavailablelogs
rest_apps_management
restart_splunkd
run_debug_commands
web_debug
Verify also imported capabilities
accelerate_search
change_own_password
edit_sourcetypes
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
rtsearch
schedule_rtsearch
schedule_search
search
I dont follow. Going to Settings -> All Configurations just brings you to 20+ pages of indecipherable object names. The answer for this question does not address what someone using Splunk Web would do in order to change the permissions required to see alerts that a user has made and never shared globally.
Check under Settings -> All Configurations
. You should be able to see all dashboards under config type view and similarly other objects as well. You might need to edit permissions there to share from private to Global to list them under dashboards
Worked like a charm!
I don't think you can actually view the dashboard - you can only see the object in the manager list, and edit its permissions. You will have to manually set permissions to allow the admins role to "read" the view/search etc.
Yep -- you're right for this one. Thanks
Hi alekksi
Verify if in your splunk instance Admin Role has all the following selected capabilities
accelerate_datamodel
admin_all_objects
change_authentication
edit_deployment_client
edit_deployment_server
edit_dist_peer
edit_forwarders
edit_httpauths
edit_input_defaults
edit_monitor
edit_roles
edit_scripted
edit_search_head_clustering
edit_search_scheduler
edit_search_server
edit_server
edit_splunktcp
edit_splunktcp_ssl
edit_tcp
edit_token_http
edit_udp
edit_user
edit_view_html
edit_web_settings
edit_win_admon
edit_win_eventlogs
edit_win_perfmon
edit_win_regmon
edit_win_wmiconf
get_diag
indexes_edit
license_edit
license_tab
list_deployment_client
list_deployment_server
list_forwarders
list_httpauths
list_pdfserver
list_search_head_clustering
list_search_scheduler
list_win_localavailablelogs
rest_apps_management
restart_splunkd
run_debug_commands
web_debug
Verify also imported capabilities
accelerate_search
change_own_password
edit_sourcetypes
embed_report
get_metadata
get_typeahead
input_file
list_inputs
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
rtsearch
schedule_rtsearch
schedule_search
search
I can verify that, of the top list, the following are missing:
edit_search_scheduler (doesn't exist in 6.2.3, the current version we're on -- should be moving to 6.3.x in a month or so)
edit_token_http
edit_win_admon
edit_win_eventlogs
edit_win_perfmon
edit_win_regmon
edit_win_wmiconf
list_pdfserver
list_search_scheduler
list_win_localavailablelogs
web_debug (doesn't exist in 6.2.3)
Of the bottom list, I'm not sure exactly how to get most of these are turned on -- only schedule_rtsearch is appearing -- but I'm sure that a number of these are turned on for admin users.
my Splunk instance is version 6.3.2 then it is possible that we have difference.Just add the capabilities which are absent to complete the list and re test
Seems to work fine. Thanks a lot mate 🙂
you are welcome