Splunk Search

When my team and I receive emails for an alert I set up, why is the link to view the search results broken for everyone except me?

Explorer

My team and I are receiving an email for an alert that I set up. When I receive the email, there is a link to view the search and its results. The link works for me (as I created the search), but none of my teammates are able to resolve the URL properly.

Error message:
The search you requested could not be found.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Did you grant permissions for other people to access the alert and the search, or are they still private to you? See Alert permissions in the Alerting Manual.

View solution in original post

Splunk Employee
Splunk Employee

Did you grant permissions for other people to access the alert and the search, or are they still private to you? See Alert permissions in the Alerting Manual.

View solution in original post

Explorer

Yes, the alerts are all granted Read/Write for the app itself.

0 Karma

Splunk Employee
Splunk Employee

And the other people also have the right permissions to run the search itself? That is, can they run the search on its own, outside of clicking the link in the email? Just covering the basics here.

0 Karma

Explorer

Yes, I've confirmed with others. I watched another person open the saved alert and open it in search as well. Additionally, clicking on the alert name in the email allows everyone to view the alert (and open in search from there), but the "View results" button does not work unless it's me.

Is it possible that this is related to the email link format? Links are showing up as /en-us/app/$APPNAME/@go?sid=scheduler_$USER. Seems like only $USER is able to use the link.

0 Karma

Splunk Employee
Splunk Employee

Hi @kpyfan,
A couple of troubleshooting questions:

What software version are you using? I see your post is tagged "6.3.0"--could you confirm?

Is the alert scheduled or real-time?

Explorer

Splunk Enterprise 6.3.0.1, alert is scheduled.

0 Karma

Splunk Employee
Splunk Employee

Thank you for the update! I believe this is a known issue and it has been fixed as of 6.3.2. If you are able to upgrade, I think this will solve the problem.

See http://docs.splunk.com/Documentation/Splunk/6.3.2/ReleaseNotes/6.3.2#Search.2C_saved_search.2C_alert...

Issue SPL-108433

Explorer

Awesome, thanks for the help guys! We will work on getting upgraded!

Splunk Employee
Splunk Employee

The defect summary (SPL-108433) is "Power user having read and write permissions for a saved search owned by an admin user is unable to view results from scheduled email," which sounds just like your issue.