When I run the below query as an admin it returns results however when run as a user it does not. The user is a power user with admin rights, the time picker is set the same. There are no exclusions from the users rights to indexes ( as far as I can tell)
index="login_data" sourcetype="Login_Data"[search index="hrxref_data" sourcetype="HR_XREF" earliest=-60d (LVL1_MOID="xx" OR MOID="xx") | table SignonID ] | eval SignonID=upper(SignonID) | bucket _time span=1d | stats count as LoginCount by _time, SignonID | join type=outer SignonID [search index="hrxref_data" sourcetype="HR_XREF" earliest=-60d (LVL1_MOID="xx" OR MOID="xx") | table SignonID EMP_NAME ] | timechart values(LoginCount) as LoginCount by EMP_NAME
What does the job inspector say (little 'i' icon near the time picker)?
Could some field extraction take place in an app's props or transforms, and the user-role does not have access there?
It looks like the search should work providing the user has access to all the same knowledge objects and indexes.
Check try the following 2 searches.
index="login_data" sourcetype="Login_Data | stats count by SignonID index="hrxref_data" sourcetype="HR_XREF" | stats values(LVL1_MOID) values(MOID) values(SignonID) values(EMP_NAME)
If any of the searches or columns are empty, look to see if the user can see the index and that field extractions are not private.
Field extractions were private. I thought since I added the admin role that the role would share the same objects. For this project I changed the objects to global.