The user can search normally but cannot search real-time. It gets the following message:
[HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/splunkuser/search/search/jobs
Thank you,
You may wish to make sure the user has the correct capabilities for the role that they are using.
The following answer post also mentions the same error that you are seeing:
In all likelihood, the user does not have the capability to run a real time search.
We are having a similar issue, except we do not want our users to be able to search in real time. Some of our users are receiving the not authorized error while searching in the past 24 hours , etc. All users are allowed to search at least up to 7 days of history. Any ideas here? Thank you.
You may wish to make sure the user has the correct capabilities for the role that they are using.
The following answer post also mentions the same error that you are seeing:
In all likelihood, the user does not have the capability to run a real time search.
Thanks for the pointer. I had already tried it but the capability that was missing was one that is there for the power user. Anyway you got me thinking and trying to determine why some users could do it and some could not. Those that could were power users. The capability to select/allow is "rtsearch".
Is the user an admin user or a user without permissions to run real time searches?