Security
Highlighted

Why are different users getting different search results?

Path Finder

I am monitoring Linux hosts (I've installed Splunk Add-on for *Nix....).

When I run the search sourcetype="linux_audit" in "Search and Report" app for last 6 months as USER1, I get zero results. However, the same search in the same time window with admin user gives about 183.445 events!!!? How is it possible?

Thanks for support

0 Karma
Highlighted

Re: Why are different users getting different search results?

Legend

hi fab73,

you have to verify two points in the role assigned to USER1:

  • if it has access rights on your index in which you inserted linux_audit,
  • if the index in which you inserted linuxaudit events is in the default path (you can verify this point also inserting in your search index=yourindex).

To verify roles you have to go in [Settings -- Access Controls -- Roles]

Bye.
Giuseppe

View solution in original post

Highlighted

Re: Why are different users getting different search results?

Path Finder

Thanks a lot Giuseppe, I solved putting into USER1's role all internal indexes, that was missed in the role, but present in the admin's role.
How can I know in which index "linux_audit" sourcetype is inserted? I did not any conscious configuration at this level....

Thanks

0 Karma
Highlighted

Re: Why are different users getting different search results?

Legend

hi fab73,
to know in which indexes are ingested events with sourcetype=linux_audit you have to run a search like this:

| metasearch index=* sourcetype=linux_audit | dedup index | table index

Bye.
Giuseppe

0 Karma
Highlighted

Re: Why are different users getting different search results?

Path Finder

thanks two times, this way I could add the "os" specific index in the USER1 role. Bye.

0 Karma