Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Enterprise Security: Why am I receiving "Search could not be updated: [HTTP 500]" error when trying to save correlation search as ess_admin?

droth333
Explorer
‎12-16-2016 10:49 AM

In Splunk Enterprise Security (ES), we cannot save a correlation search as a user with ess_admin. This works if user is admin.

The navigation is: ES/Configure/Content Management/Create new Content/Correlation Search//Save

The full error is displayed in error bar in the UI:

Search could not be updated: [HTTP 500] Splunkd internal error; [{'type': 'ERROR', 'code': None, 'text': 'Unexpected error "" from python handler: "[HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/correlations.... See splunkd.log for more details.'}]

There is not much more in splunkd.log

Is "configuration" change actually a literal "admin" function?
We want to make all "users" of ES to be at most ess_admin.

Thanks,
Dave

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

smoir_splunk
Splunk Employee
Splunk Employee
‎12-16-2016 11:37 AM

You cannot assign ess_admin to users. " You must use a Splunk platform admin role to administer an Enterprise Security installation." See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Configuring_user_roles

If you want ess_analyst users to be able to edit correlation searches, grant them that capability on the ES Permissions page. See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Add_capabilities_to_a_role

View solution in original post

Reply
Solved! Jump to solution
Solution

smoir_splunk
Splunk Employee
Splunk Employee
‎12-16-2016 11:37 AM

You cannot assign ess_admin to users. " You must use a Splunk platform admin role to administer an Enterprise Security installation." See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Configuring_user_roles

If you want ess_analyst users to be able to edit correlation searches, grant them that capability on the ES Permissions page. See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Add_capabilities_to_a_role

View solution in original post

Reply
Solved! Jump to solution

droth333
Explorer
‎12-16-2016 12:26 PM

Thanks smoir! Much much more clear now! Also for thanks for quick response.

0 Karma
Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!