Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

User could not act as admin in splunk

msunilreddy
New Member
4 weeks ago

Hi Team,

   We are seeing  error like"user could not act as admin in splunk" for the Rest API call "/servicesNS/admin/search/search/jobs/rt_scheduler__admin__search__RMD55bf3dd661d6ebedc_at_1756741585_99.3/events?output_mode=json"

It looks like user is unable to execute this admin search query.
 
Coul you please explain what capabilities we need to give this user? Or point any documentation link for the same ?
 
How to get all alerts from Splunk using non admin user?
 
Thanks,
Sunil
 
 
Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
4 weeks ago

I suspect the error message stems from a non-admin user trying to run a command as an admin user (the "admin" in 'servicesNS/admin/...').  Try running the command /services/search/jobs/rt_scheduler__admin__search__RMD55bf3dd661d6ebedc_at_1756741585_99.3/events?output_mode=json or /servicesNS/-/search/search/jobs/rt_scheduler__admin__search__RMD55bf3dd661d6ebedc_at_1756741585_99.3/events?output_mode=json to get the information available to the user (which may be nothing).

If those don't give the desired results then you may need to give the user the list_search_scheduler or admin_all_objects capability.

BTW, that endpoint is deprecated.  The user should switch to the v2 endpoint.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
4 weeks ago

Hi @msunilreddy 

How are you interacting with Splunk to get this error? Are you using the REST API in order to retrieve the alerts/events or is this from within Splunk itself?

Did the search that you are trying to get results for get run as the admin as a private search, not shared in the app?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

msunilreddy
New Member
4 weeks ago

I am using RestAPI calls.

0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...