Splunk Enterprise Security

ESS Admin Role unable to create correlation searches

ehowardl3
Path Finder

I'm getting the following error while trying to save a correlation search as a user with the ess_admin role:

There was an error saving the correlation search: User 'local_ess_admin' with roles { ess_admin, ess_analyst, ess_user, local_ess_admin, power, user } cannot write: /nobody/SplunkEnterpriseSecuritySuite/savedsearches/Threat - test2 - Rule { read : [ * ], write : [ admin ] }, export: global, owner: admin, removable: no, modtime: 1591818982.977029000

The ess_admin role should by default be allowed to edit correlation searches, and the role does have the "edit_correlationsearches" capability. Is there any other capability that should be enabled in order for this to work?

 

0 Karma

The_Simko
SplunkTrust
SplunkTrust

Is this an isolated issue? It makes me wonder if something weird like starting Splunk with the wrong user isn't hitting here.
If you create a new user as an admin (give them the full admin role, not just ess admin). Can they create a correlation search? If so, go back to the account you have issues with and assign them admin, not just ess_admin.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...