Splunk Enterprise Security
Highlighted

Splunk Enterprise Security: Why am I receiving "Search could not be updated: [HTTP 500]" error when trying to save correlation search as ess_admin?

Explorer

In Splunk Enterprise Security (ES), we cannot save a correlation search as a user with ess_admin. This works if user is admin.

The navigation is: ES/Configure/Content Management/Create new Content/Correlation Search//Save

The full error is displayed in error bar in the UI:

Search could not be updated: [HTTP 500] Splunkd internal error; [{'type': 'ERROR', 'code': None, 'text': 'Unexpected error "" from python handler: "[HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/correlations.... See splunkd.log for more details.'}]

There is not much more in splunkd.log

Is "configuration" change actually a literal "admin" function?
We want to make all "users" of ES to be at most ess_admin.

Thanks,
Dave

0 Karma
Highlighted

Re: Splunk Enterprise Security: Why am I receiving "Search could not be updated: [HTTP 500]" error when trying to save correlation search as ess_admin?

Splunk Employee
Splunk Employee

You cannot assign essadmin to users. " You must use a Splunk platform admin role to administer an Enterprise Security installation." See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Configuringuser_roles

If you want essanalyst users to be able to edit correlation searches, grant them that capability on the ES Permissions page. See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Addcapabilitiestoa_role

View solution in original post

Highlighted

Re: Splunk Enterprise Security: Why am I receiving "Search could not be updated: [HTTP 500]" error when trying to save correlation search as ess_admin?

Explorer

Thanks smoir! Much much more clear now! Also for thanks for quick response.

0 Karma