Security
Highlighted

Event types are not being applied to events for regular user account

Explorer

I've created 5 new eventtypes using our admin account and I can see all 5 of them when I perform a search.

When I log in as a regular user, I can only see one of the eventtypes being applied to events. The other 4 eventtypes are not being applied at all as if they do not exist. When I check the eventtypes from the Manager, I can see all 5 of them and confirm that I have permissions to them.

I do not see any difference in the configuration or permissions for the one eventtype that is working compared to the other 4. Why are the other eventtypes not working?

0 Karma
Highlighted

Re: Event types are not being applied to events for regular user account

Ultra Champion

Does your 'normal' user have access to the underlying data? If so, is is searched by default? See Manager -> Access Controls -> Roles -> your_role. At the bottom of the page you can see what indexes are allowed for that role, and which are searched by default.

0 Karma
Highlighted

Re: Event types are not being applied to events for regular user account

Explorer

Yes, the user has access to the data. I can view the events, but the events are missing the eventtype.

It's identical to what I see using my admin account except it's missing the eventtype.

0 Karma
Highlighted

Re: Event types are not being applied to events for regular user account

Builder

Hi Sephora_it,

Sounds like it's troubleshooting time 🙂 Off the top of my head:

  • Have you tried running the exact search that you used for the eventtype definitions as the regular user?
  • Do the regular users have access/permissions to the apps the extract the field names you used in your eventtype definitions?
  • Do the regular users have access/permissions to the app that the eventtype definitions were made in?

These are just a few of the things I would l start with.

Let me know how you go 🙂

Highlighted

Re: Event types are not being applied to events for regular user account

Contributor

You might created new Event types from 'SEARCH' application.

The new event types configurations will reside under \etc\apps\search\local

If you try to use the event types which you created under some other application it will not be visible.

Either from 'Splunk Web' you ought to grant permission to "All apps" - So other applications also have visibility to that event types.
or Copy the eventtypes.conf files from the \etc\apps\search\local
to the application \etc\apps\yourappname\local

Make sure the users had access to application

If all done , users must definitely can able to see that event types.

0 Karma
Highlighted

Re: Event types are not being applied to events for regular user account

Explorer

Yes to all of the questions above. I've allowed permissions for all Apps.

0 Karma