My team and I are receiving an email for an alert that I set up. When I receive the email, there is a link to view the search and its results. The link works for me (as I created the search), but none of my teammates are able to resolve the URL properly.
Error message:
The search you requested could not be found.
Did you grant permissions for other people to access the alert and the search, or are they still private to you? See Alert permissions in the Alerting Manual.
Did you grant permissions for other people to access the alert and the search, or are they still private to you? See Alert permissions in the Alerting Manual.
Yes, the alerts are all granted Read/Write for the app itself.
And the other people also have the right permissions to run the search itself? That is, can they run the search on its own, outside of clicking the link in the email? Just covering the basics here.
Yes, I've confirmed with others. I watched another person open the saved alert and open it in search as well. Additionally, clicking on the alert name in the email allows everyone to view the alert (and open in search from there), but the "View results" button does not work unless it's me.
Is it possible that this is related to the email link format? Links are showing up as /en-us/app/$APP_NAME/@go?sid=scheduler__$USER. Seems like only $USER is able to use the link.
Hi @kpyfan,
A couple of troubleshooting questions:
What software version are you using? I see your post is tagged "6.3.0"--could you confirm?
Is the alert scheduled or real-time?
Splunk Enterprise 6.3.0.1, alert is scheduled.
Thank you for the update! I believe this is a known issue and it has been fixed as of 6.3.2. If you are able to upgrade, I think this will solve the problem.
Issue SPL-108433
Awesome, thanks for the help guys! We will work on getting upgraded!
The defect summary (SPL-108433) is "Power user having read and write permissions for a saved search owned by an admin user is unable to view results from scheduled email," which sounds just like your issue.