I created several objects with my local splunk user and everything is working as expected.
I need to share all items with other users, however when using timechart the data does not match!
Summarizing the search with my login timechart works normal and the search with the other logins timechart of this search does not work, even the other users try admin permission.
I would like to know if there is any place to check where the problem is occurring, since I already check in jobs inspect and saw no difference.
One note that both searches return the same event number 5016.
Example of the difference between searches.
index=csv sourcetype=csv source="/opt/splunk/var/run/splunk/csv/cracha/file-*.csv" DtaDemissao=NULL NomFilial="Filial São Paulo 2 - 0004-07"
| rename IdtUsuario as Account_Login
| join type=left Account_Login [ search index=main | `pesquisaloginsads` NOT `IPsTelefonia` | table Account_Login Client_Address ]
| rename Account_Login as Login NomProfissional as Nome NumMatrProfissional as Matricula NomAlocacao as Alocacao NomFilial as Filial NomProfissionalGESTOR as Gestor QtdBatidaCracha as Batidas
| table _time Login Nome Matricula Alocacao Filial NomLocalTrabalho Gestor Batidas Client_Address DtaBatidaCracha
| where isnotnull(Client_Address) AND NOT like (Client_Address, "::1") OR NOT like (Batidas, "0")
| timechart count by Filial span=1d
I agree with you regarding permissions, but make sure the objects are all allowed globally.
I even tested the objects separately and they all work.
I can't understand why search works normally with both users, the problem is only the moment I add the last line with timechart.
Can you tell if there is any other way to debug this problem?
Thanks for the remark about the fields, had forgotten that feature.
tks!
