- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Can I give users the ability to create "Saved Sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I give users the ability to create "Saved Searches" but not the ability to schedule?
From what I have found online, and looking in the Manager, it appears that I can only give users the ability to schedule a search.
http://www.splunk.com/base/Documentation/latest/admin/Addusersandassignroles
However, I do not want to give users the ability to schedule their searches, but I DO want to give them the ability to create a Saved Search.
Can this be done?
Thanks,
Sean
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sean,
By default users have the ability to create a saved search. This is not a capability you need to add. If you don't want them to schedule searches (also default behavior) make sure you don't set the "schedule_search" capability.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vsid maps to a viewstate.conf stanza. The error you are getting specifies that you have a savedsearch with a vsid that is not available in viewstates.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure I understand what "vsid" does. Here is the user's savedsearches.conf
[VTS Connection]
dispatch.earliest_time = -60m@m
dispatch.latest_time = now
displayview = flashtimeline
request.ui_dispatch_view = flashtimeline
search = mcvts00#
vsid = gdxa8nfw
[VTS Connection Errors]
dispatch.earliest_time = 1286946000
dispatch.latest_time = 1287201600
displayview = report_builder_display
request.ui_dispatch_view = report_builder_display
search = vts error | timechart count
vsid = *:gfbm5aqs
I cloned the user having issues, and the cloned user has the exact same problem.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried removing any references to vsid=gn0t66si in savedsearches.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Every time basic users try to save a search, they get the following:
Encountered the following error while trying to save: In handler 'savedsearch': Cannot find viewstate with vsid="gn0t66si"
Name Alert - HH returnValTBWS
Search host=hhwas0* "returnValTBWS:false"
Description (optional)
Time rangeStart time (optional)
'-1d' is a day ago. '-45m' is 45 minutes ago.
Time specifiers: y, mon, d, h, m, s
Finish time (optional)
What else could be wrong? Why am I getting the errors above? My admin account has no problem saving exactly what is listed above.
Thanks,
Sean
Infographic provides the TL;DR for the 2024 Splunk Career Impact Report
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
