Splunk Search
Highlighted

Different result between tow users with the same search

Engager

i have an search with two transaction

index=myindex | transaction queueid sendmailuid messageid maxspan=5s | search $whatever$ | transaction messageid | table message_id from to

and the result from user admin (role admin)

message_id          from                            to
1007998@re.com  ntf-16_1-info_=_schuf.com   805@nm.de
                                            info@schxxxxxx.bla
                                            v4@mailxxxxxxx.e 

So ok, but an user with the role user, it seems, that the second transaction doesn't work.
He see only the events from the first transaction. Also 3 events in the example above.

the settings of this user

  • change_
  • own_password
  • get_metadata
  • get_typeahead
  • input_file
  • list_inputs
  • output_file
  • requestremotetok
  • restappsview
  • restpropertiesget
  • restpropertiesset
  • schedule_rtsearch
  • search

and he can only search the index myindex

I thing something missing, but what ?

Tags (2)
0 Karma
Highlighted

Re: Different result between tow users with the same search

SplunkTrust
SplunkTrust

Make sure that user can see all the field extractions/lookups/wherever the required fields come from.

View solution in original post

Highlighted

Re: Different result between tow users with the same search

Engager

Ah i have it.

I use fields from the app 'Syslog for Postfix' and the user-role could not read this app.
Thx martin_mueller 😄

0 Karma