We have a separate ES- Splunk Cloud for our organisation.
So in which we have provided access via SAML authentication for all the members in Security Operations team. And we have created roles like for them as well.
Our issue is currently one of the user from Security Operations team can able to login via SAML authentication but he couldn't able to view the Incident Review dashboard data when he searched for anytime.
When we checked the Job Inspector we are getting the below mentioned errors.
So other users who are provided with the same role has access to Incident review dashboard and they can view the notable events whereas this particular user alone couldnt able to view the incident review dashboard events.
When i checked the Job Inspector i can see error events like below:
Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job inspector for more info.
Also some error in logs as:
WARN Download Remote DataTransaction - Got status code : 404 (Not Found) from indexer.
So kindly let me know why the particular user can able to login the Splunk Cloud but couldn't able to view the events in the Incident Dashboard.
You can check and compare the capabilities for the user who is not able to view notable events and open the incident review dashboard with other users who are able to access that dashboard.
You can take reference from this Splunk Documentation regarding ES capabilities: