Security

Event types are not being applied to events for regular user account

sephora_it
Explorer

I've created 5 new eventtypes using our admin account and I can see all 5 of them when I perform a search.

When I log in as a regular user, I can only see one of the eventtypes being applied to events. The other 4 eventtypes are not being applied at all as if they do not exist. When I check the eventtypes from the Manager, I can see all 5 of them and confirm that I have permissions to them.

I do not see any difference in the configuration or permissions for the one eventtype that is working compared to the other 4. Why are the other eventtypes not working?

0 Karma

chimbudp
Contributor

You might created new Event types from 'SEARCH' application.

The new event types configurations will reside under \etc\apps\search\local

If you try to use the event types which you created under some other application it will not be visible.

Either from 'Splunk Web' you ought to grant permission to "All apps" - So other applications also have visibility to that event types.
or Copy the eventtypes.conf files from the \etc\apps\search\local
to the application \etc\apps\your_app_name\local

Make sure the users had access to application

If all done , users must definitely can able to see that event types.

0 Karma

sephora_it
Explorer

Yes to all of the questions above. I've allowed permissions for all Apps.

0 Karma

rturk
Builder

Hi Sephora_it,

Sounds like it's troubleshooting time 🙂 Off the top of my head:

  • Have you tried running the exact search that you used for the eventtype definitions as the regular user?
  • Do the regular users have access/permissions to the apps the extract the field names you used in your eventtype definitions?
  • Do the regular users have access/permissions to the app that the eventtype definitions were made in?

These are just a few of the things I would l start with.

Let me know how you go 🙂

sephora_it
Explorer

Yes, the user has access to the data. I can view the events, but the events are missing the eventtype.

It's identical to what I see using my admin account except it's missing the eventtype.

0 Karma

kristian_kolb
Ultra Champion

Does your 'normal' user have access to the underlying data? If so, is is searched by default? See Manager -> Access Controls -> Roles -> your_role. At the bottom of the page you can see what indexes are allowed for that role, and which are searched by default.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...