I've created 5 new eventtypes using our admin account and I can see all 5 of them when I perform a search.
When I log in as a regular user, I can only see one of the eventtypes being applied to events. The other 4 eventtypes are not being applied at all as if they do not exist. When I check the eventtypes from the Manager, I can see all 5 of them and confirm that I have permissions to them.
I do not see any difference in the configuration or permissions for the one eventtype that is working compared to the other 4. Why are the other eventtypes not working?
Does your 'normal' user have access to the underlying data? If so, is is searched by default? See Manager -> Access Controls -> Roles -> your_role. At the bottom of the page you can see what indexes are allowed for that role, and which are searched by default.
Yes, the user has access to the data. I can view the events, but the events are missing the eventtype.
It's identical to what I see using my admin account except it's missing the eventtype.
Sounds like it's troubleshooting time 🙂 Off the top of my head:
These are just a few of the things I would l start with.
Let me know how you go 🙂
You might created new Event types from 'SEARCH' application.
The new event types configurations will reside under \etc\apps\search\local
If you try to use the event types which you created under some other application it will not be visible.
Either from 'Splunk Web' you ought to grant permission to "All apps" - So other applications also have visibility to that event types.
or Copy the eventtypes.conf files from the \etc\apps\search\local
to the application \etc\apps\yourappname\local
Make sure the users had access to application
If all done , users must definitely can able to see that event types.