- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ESS Admin Role unable to create correlation searches
I'm getting the following error while trying to save a correlation search as a user with the ess_admin role:
There was an error saving the correlation search: User 'local_ess_admin' with roles { ess_admin, ess_analyst, ess_user, local_ess_admin, power, user } cannot write: /nobody/SplunkEnterpriseSecuritySuite/savedsearches/Threat - test2 - Rule { read : [ * ], write : [ admin ] }, export: global, owner: admin, removable: no, modtime: 1591818982.977029000
The ess_admin role should by default be allowed to edit correlation searches, and the role does have the "edit_correlationsearches" capability. Is there any other capability that should be enabled in order for this to work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this an isolated issue? It makes me wonder if something weird like starting Splunk with the wrong user isn't hitting here.
If you create a new user as an admin (give them the full admin role, not just ess admin). Can they create a correlation search? If so, go back to the account you have issues with and assign them admin, not just ess_admin.
