Splunk Search

Why can't a non-admin user search my accelerated data model?

john_dagostino
Path Finder

I've created two accelerated data models. As admin, I can search each of them with |tstats summariesonly=t FROM datamodel=yadayadayada, however, as a non-admin user, I can only search one of the two. If I remove summariesonly=t from the search, they are both accessible, however, for the one that's not working when I include summariesonly=t, I get no results.

I've checked the local.meta and both data models have the same permissions. Nothing of value in the _internal and _audit logs that I can find. Any ideas?

0 Karma

alinsinpalean
New Member

What worked for me was to give the user (or rather one of the user's roles) the accelerate_search capability.,FYI, what worked in my case was to give the user (or rather one of the user's roles) the accelerate_searchcapability.

0 Karma

gsopkoTC
Path Finder

My guess is that you have to set the permission of the datamodel and all associated objects to be owned by nobody. If you go to Settings->Data models and expand the datamodel in question you will see something like this: "Permissions Shared Globally. Owned by admin. Edit". So, only those with the admin role will be able to see it.

However, you'll have to drill down into the data model and verify permissions for all the associated objects (and fields?).

0 Karma

kpkeimig
Path Finder

Although this led me in the right direction, it took me way too long to figure out... My issue was app1 had correct perms for the users role (not where the datamodel was created); the datamodel had correct read only perms for the user role and was global; but app2, (where the datamodel was created) was not global and did not have read only perms for the users role.

0 Karma

john_dagostino
Path Finder

The data model which is working is owned by the same user so I'm not sure that will help but I'll give it a shot. I was able to get it working by adding in "allow_old_summaries=t" to the search, although I'm not sure why it works without it for the admin user.

|tstats summariesonly=t allow_old_summaries=t count FROM datamodel=yadayadayada
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...