Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are different users getting different search results?

fab73
Path Finder
‎01-04-2017 03:46 AM

I am monitoring Linux hosts (I've installed Splunk Add-on for *Nix....).

When I run the search sourcetype="linux_audit" in "Search and Report" app for last 6 months as USER1, I get zero results. However, the same search in the same time window with admin user gives about 183.445 events!!!? How is it possible?

Thanks for support

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-04-2017 03:55 AM

hi fab73,

you have to verify two points in the role assigned to USER1:

  • if it has access rights on your index in which you inserted linux_audit,
  • if the index in which you inserted linux_audit events is in the default path (you can verify this point also inserting in your search index=your_index).

To verify roles you have to go in [Settings -- Access Controls -- Roles]

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-04-2017 03:55 AM

hi fab73,

you have to verify two points in the role assigned to USER1:

  • if it has access rights on your index in which you inserted linux_audit,
  • if the index in which you inserted linux_audit events is in the default path (you can verify this point also inserting in your search index=your_index).

To verify roles you have to go in [Settings -- Access Controls -- Roles]

Bye.
Giuseppe

Reply
Solved! Jump to solution

fab73
Path Finder
‎01-04-2017 05:23 AM

Thanks a lot Giuseppe, I solved putting into USER1's role all internal indexes, that was missed in the role, but present in the admin's role.
How can I know in which index "linux_audit" sourcetype is inserted? I did not any conscious configuration at this level....

Thanks

0 Karma
Reply
Solved! Jump to solution

fab73
Path Finder
‎01-04-2017 05:49 AM

thanks two times, this way I could add the "os" specific index in the USER1 role. Bye.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-04-2017 05:33 AM

hi fab73,
to know in which indexes are ingested events with sourcetype=linux_audit you have to run a search like this:

| metasearch index=* sourcetype=linux_audit | dedup index | table index

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...