Splunk Search

Charts not appearing for users other than admin

HXCaine
Path Finder

I have indexed data being displayed in dashboards for which are working well. However, I have created additional users and these users cannot execute any searches. I have found that even an additional admin account cannot execute searches (although it should be identical to my original 'admin' account). These additional accounts can, however, view the results of scheduled searches.

The data is definitely visible to these users, only searching is broken. For example, these users can see the results for this search:

sourcetype="dailylogs"

But get "No matching events found. Inspect..." for this search:

sourcetype="dailylogs" status="error"

What do I need to do to enable users to search?

0 Karma
1 Solution

Drainy
Champion

Ok, lets go back to the start, we've made an assumption that permissions are being applied and I'm assuming you've made the correct apps global 🙂

As an admin do a search for status=*. Identify an event. Now, as another user do a search for sourcetype=blah and locate the event you identified previously with the status field.

If its there have a look at the field extractor on the left to see if any extractions have been applied, if not then there must be a permissions issue somewhere. Some other tests are to then try and do some stats commands, perhaps a table command on _raw to check you can make these commands execute.

Finally, use the rex command to pull status out yourself at search time with | rex "regular expression".

It really does sound like a permissions issue though, by default most things admin creates will pop up in the search app and be private so you really need to make sure that everything has read access for everyone.

View solution in original post

Drainy
Champion

Ok, lets go back to the start, we've made an assumption that permissions are being applied and I'm assuming you've made the correct apps global 🙂

As an admin do a search for status=*. Identify an event. Now, as another user do a search for sourcetype=blah and locate the event you identified previously with the status field.

If its there have a look at the field extractor on the left to see if any extractions have been applied, if not then there must be a permissions issue somewhere. Some other tests are to then try and do some stats commands, perhaps a table command on _raw to check you can make these commands execute.

Finally, use the rex command to pull status out yourself at search time with | rex "regular expression".

It really does sound like a permissions issue though, by default most things admin creates will pop up in the search app and be private so you really need to make sure that everything has read access for everyone.

Drainy
Champion

No worries 🙂 Glad you've sorted it!

0 Karma

HXCaine
Path Finder

This did it, thanks so much! Turns out I had my field extractions as private (didn't realise they had their own permissions). Will be careful next time I create anything to look out for permissions. Thanks again 🙂

0 Karma

Drainy
Champion

What is more likely happening is that the eventtype of error is set to private for that one admin. You can change the permissions of your event types in Manager - > Event types. Probably a safe bet also that there will be saved searched embedded in dashboards that again may have permissions that need setting to global.

0 Karma

HXCaine
Path Finder

My thoughts exactly. Yes they are members of the user role, and some are members of all roles. Any other ideas? It seems like only the original 'admin' account can access this stuff

0 Karma

Drainy
Champion

Well if they have access to the extractions and the data then there is no reason why they shouldn't be able to search.
Are they all members of the User role?

0 Karma

HXCaine
Path Finder

Yes it is.

0 Karma

Drainy
Champion

Ok, the app which contains the search extraction for that, is it also set to global?

0 Karma

HXCaine
Path Finder

I'm sorry, I chose that as a terrible example, I didn't really mean eventType (I've now changed it to 'status' to make it clearer). My event types are all currently global so that's not the problem.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...