Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Acess issue with different users

uagraw01
Motivator
3 weeks ago

Hello Splunkers !!

I'm noticing an issue in Splunk. When I log in with the production manager role, the report figures are perfectly accurate. But when I access Splunk using a customer role, the values in the reports differ from what I see as a production manager. Any suggestions on how to troubleshoot or resolve this difference would be appreciated!

uagraw01_0-1767605337892.png

uagraw01_1-1767605359201.png

Correct values with the production manager role

uagraw01_4-1767605521217.png

 

wrong values with customer role

uagraw01_3-1767605494874.png

 

 

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

We don't know what powers those charts but the differences in results when a search is run as users with different roles usually boils down to:

1) Difference in index access permissions (remember that roles can also have search filters)

2) Difference in access to apps in which KOs are defined or even specific KOs.

Also some users have private KOs which can affect what is being extracted/calculated and so on. And sometimes the search behaves differently (has access to different KOs) depending on which app it's being run in.

So there are several possible points where the behaviour could differ.

I'd start with cutting the search to the very initial part (before first pipe) and comparing:

1) Number of results

2) Extracted fields.

 

0 Karma
Reply

uagraw01
Motivator
3 weeks ago

@PickleRick I’m not using any knowledge objects in the panel search  it’s a direct index search. After granting read access to the Search & Reporting app, the numbers started appearing correctly, consistent with other user roles.

index=json a type=Put data.workstationId=*
| spath source | search source=decan
| rename data.putCarrierPhysicalId as BinId, data.orderId as OrderId, data.putCarrierQuantity as qty, data.workstationId as workstation
| timechart span=1d@d1 sum(qty) as value by workstation
| addtotals

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
3 weeks ago
IMHO: in any reasonable sized environment you should have separate apps for different business units / systems. Don't use Search And Reporting for anything especially if you have or plan to have SHC environment.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

Well, a sourcetype can also be defined within an app to which access might differ between roles.

As a side remark - "data.workstationId=*" is a releatively performance-hungry condition. If you can narrow down your events by specifying the field name (simply adding "workstationId" on its own) as search term - do it. (of course if 95% of your events contain this field it won't help much but if it's just 10%, it will give you a significant savings on search time).

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @uagraw01 

Its suspicious that the results are 4x different between them - I wouldnt expect this to be a capabilities issue but perhaps something else such as one user being able to search multiple indexes, or even a field extraction that one role has access to which another doesnt.

Are you able to confirm which numbers are correct? 

Are you also able to share the search so we can see what might be the issue there? Please redact anything sensitive in the search if you're going to share it.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

uagraw01
Motivator
3 weeks ago

Hi @livehybrid 

The numbers below are correct, which is Production_manager role.

uagraw01_0-1767607497699.png


One more thing to add ; while open the panel search in custome role I am getting oops message but in Production manger role panel is working fine and opens in anaother windows. 

uagraw01_1-1767607596951.png

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
3 weeks ago
This sounds like your Customer role hasn't defined all access which are needed to get data.
Can you check what are roles which are needed for display that dashboard including all KOs like macros, eventtypes, reports etc.
Usually that Oops screen means that this user/role hasn't access to this dashboard/report etc.
0 Karma
Reply

uagraw01
Motivator
3 weeks ago

@isoutamo I have now given read access to search and reporting app to customer role and now figures are coming similar like production manager role.

Reply

isoutamo
SplunkTrust
SplunkTrust
3 weeks ago
Nice to hear that this solve the issue.
BTW here is excellent presentation how everyone should manage Splunk access https://conf.splunk.com/files/2023/slides/PLA1169B.pdf
If you haven't full CI/CD pipeline with needed parts then you could/should somehow simplify this, but in generally speaking this is excellent way to manage RBAC access in Splunk.
Reply

uagraw01
Motivator
3 weeks ago

@isoutamo Thanks for sharing this with me. I will try to accomodate in my environment.

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...