Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why can't a non-admin user search my accelerated data model?

john_dagostino
Path Finder
‎07-27-2016 11:36 AM

I've created two accelerated data models. As admin, I can search each of them with |tstats summariesonly=t FROM datamodel=yadayadayada, however, as a non-admin user, I can only search one of the two. If I remove summariesonly=t from the search, they are both accessible, however, for the one that's not working when I include summariesonly=t, I get no results.

I've checked the local.meta and both data models have the same permissions. Nothing of value in the _internal and _audit logs that I can find. Any ideas?

0 Karma
Reply

alinsinpalean
New Member
‎11-27-2018 07:31 AM

What worked for me was to give the user (or rather one of the user's roles) the accelerate_search capability.,FYI, what worked in my case was to give the user (or rather one of the user's roles) the accelerate_searchcapability.

0 Karma
Reply

gsopkoTC
Path Finder
‎07-27-2016 08:21 PM

My guess is that you have to set the permission of the datamodel and all associated objects to be owned by nobody. If you go to Settings->Data models and expand the datamodel in question you will see something like this: "Permissions Shared Globally. Owned by admin. Edit". So, only those with the admin role will be able to see it.

However, you'll have to drill down into the data model and verify permissions for all the associated objects (and fields?).

0 Karma
Reply

kpkeimig
Path Finder
‎04-28-2020 02:20 PM

Although this led me in the right direction, it took me way too long to figure out... My issue was app1 had correct perms for the users role (not where the datamodel was created); the datamodel had correct read only perms for the user role and was global; but app2, (where the datamodel was created) was not global and did not have read only perms for the users role.

0 Karma
Reply

john_dagostino
Path Finder
‎07-28-2016 04:43 AM

The data model which is working is owned by the same user so I'm not sure that will help but I'll give it a shot. I was able to get it working by adding in "allow_old_summaries=t" to the search, although I'm not sure why it works without it for the admin user.

|tstats summariesonly=t allow_old_summaries=t count FROM datamodel=yadayadayada
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...