Solved: What privileges are needed to use tstats summaries...

reed_kelly · ‎07-18-2016

We have accelerations turned on and at 100% for a number of our datamodels. I like the speed obtained by using |tstats summariesonly=t. If I remove the summariesonly=t, then the results are the exactly the same, but the search takes 10 times longer.

I would like other users to benefit from the speed boost, but they don't see any results unless I put them in the Admin group. Is there another privilege that I need to grant them to make summariesonly=t work? They already have read access to the datamodel and root object.

reed_kelly · ‎07-18-2016

I found a work-around by adding allow_old_summaries=t. I'm just confused as to why summariesonly=t only works without Admin by adding allow_old_summaries=t.

View solution in original post

reed_kelly · ‎07-18-2016

I found a work-around by adding allow_old_summaries=t. I'm just confused as to why summariesonly=t only works without Admin by adding allow_old_summaries=t.

pappjrcaa · ‎09-15-2016

Confirmed the same requirement in my environment - docs don't shed any light on it. Hoping to hear an answer from Splunk on this.

Lowell · ‎10-26-2016

Yup, found another one here. Running Splunk 6.3.5 with ES. What I found is that I have the Admin role, but it works from some apps (like the main ES app, and some of the related ES apps, but not from Search or other custom apps.)

What privileges are needed to use tstats summariesonly=t?

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector