I have indexed data being displayed in dashboards for which are working well. However, I have created additional users and these users cannot execute any searches. I have found that even an additional admin account cannot execute searches (although it should be identical to my original 'admin' account). These additional accounts can, however, view the results of scheduled searches.
The data is definitely visible to these users, only searching is broken. For example, these users can see the results for this search:
sourcetype="dailylogs"
But get "No matching events found. Inspect..." for this search:
sourcetype="dailylogs" status="error"
What do I need to do to enable users to search?
Ok, lets go back to the start, we've made an assumption that permissions are being applied and I'm assuming you've made the correct apps global 🙂
As an admin do a search for status=*. Identify an event. Now, as another user do a search for sourcetype=blah and locate the event you identified previously with the status field.
If its there have a look at the field extractor on the left to see if any extractions have been applied, if not then there must be a permissions issue somewhere. Some other tests are to then try and do some stats commands, perhaps a table command on _raw to check you can make these commands execute.
Finally, use the rex command to pull status out yourself at search time with | rex "regular expression".
It really does sound like a permissions issue though, by default most things admin creates will pop up in the search app and be private so you really need to make sure that everything has read access for everyone.
Ok, lets go back to the start, we've made an assumption that permissions are being applied and I'm assuming you've made the correct apps global 🙂
As an admin do a search for status=*. Identify an event. Now, as another user do a search for sourcetype=blah and locate the event you identified previously with the status field.
If its there have a look at the field extractor on the left to see if any extractions have been applied, if not then there must be a permissions issue somewhere. Some other tests are to then try and do some stats commands, perhaps a table command on _raw to check you can make these commands execute.
Finally, use the rex command to pull status out yourself at search time with | rex "regular expression".
It really does sound like a permissions issue though, by default most things admin creates will pop up in the search app and be private so you really need to make sure that everything has read access for everyone.
No worries 🙂 Glad you've sorted it!
This did it, thanks so much! Turns out I had my field extractions as private (didn't realise they had their own permissions). Will be careful next time I create anything to look out for permissions. Thanks again 🙂
What is more likely happening is that the eventtype of error is set to private for that one admin. You can change the permissions of your event types in Manager - > Event types. Probably a safe bet also that there will be saved searched embedded in dashboards that again may have permissions that need setting to global.
My thoughts exactly. Yes they are members of the user role, and some are members of all roles. Any other ideas? It seems like only the original 'admin' account can access this stuff
Well if they have access to the extractions and the data then there is no reason why they shouldn't be able to search.
Are they all members of the User role?
Yes it is.
Ok, the app which contains the search extraction for that, is it also set to global?
I'm sorry, I chose that as a terrible example, I didn't really mean eventType (I've now changed it to 'status' to make it clearer). My event types are all currently global so that's not the problem.