i have an search with two transaction
index=myindex | transaction queueid sendmailuid messageid maxspan=5s | search $whatever$ | transaction messageid | table message_id from to
and the result from user admin (role admin)
message_id from to
firstname.lastname@example.org ntf-16_1-info_=_schuf.com email@example.com
So ok, but an user with the role user, it seems, that the second transaction doesn't work.
He see only the events from the first transaction. Also 3 events in the example above.
the settings of this user
and he can only search the index myindex
I thing something missing, but what ?
Make sure that user can see all the field extractions/lookups/wherever the required fields come from.
View solution in original post
Ah i have it.
I use fields from the app 'Syslog for Postfix' and the user-role could not read this app.
Thx martin_mueller 😄