Splunk Enterprise Security

Splunk Enterprise Security: Why am I receiving "Search could not be updated: [HTTP 500]" error when trying to save correlation search as ess_admin?

droth333
Explorer

In Splunk Enterprise Security (ES), we cannot save a correlation search as a user with ess_admin. This works if user is admin.

The navigation is: ES/Configure/Content Management/Create new Content/Correlation Search//Save

The full error is displayed in error bar in the UI:

Search could not be updated: [HTTP 500] Splunkd internal error; [{'type': 'ERROR', 'code': None, 'text': 'Unexpected error "" from python handler: "[HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/correlations.... See splunkd.log for more details.'}]

There is not much more in splunkd.log

Is "configuration" change actually a literal "admin" function?
We want to make all "users" of ES to be at most ess_admin.

Thanks,
Dave

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

You cannot assign ess_admin to users. " You must use a Splunk platform admin role to administer an Enterprise Security installation." See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Configuring_user_roles

If you want ess_analyst users to be able to edit correlation searches, grant them that capability on the ES Permissions page. See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Add_capabilities_to_a_role

View solution in original post

smoir_splunk
Splunk Employee
Splunk Employee

You cannot assign ess_admin to users. " You must use a Splunk platform admin role to administer an Enterprise Security installation." See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Configuring_user_roles

If you want ess_analyst users to be able to edit correlation searches, grant them that capability on the ES Permissions page. See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Add_capabilities_to_a_role

droth333
Explorer

Thanks smoir! Much much more clear now! Also for thanks for quick response.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...