Splunk Search
Highlighted

Why can't a non-admin user search my accelerated data model?

Path Finder

I've created two accelerated data models. As admin, I can search each of them with |tstats summariesonly=t FROM datamodel=yadayadayada, however, as a non-admin user, I can only search one of the two. If I remove summariesonly=t from the search, they are both accessible, however, for the one that's not working when I include summariesonly=t, I get no results.

I've checked the local.meta and both data models have the same permissions. Nothing of value in the _internal and _audit logs that I can find. Any ideas?

0 Karma
Highlighted

Re: Why can't a non-admin user search my accelerated data model?

Path Finder

My guess is that you have to set the permission of the datamodel and all associated objects to be owned by nobody. If you go to Settings->Data models and expand the datamodel in question you will see something like this: "Permissions Shared Globally. Owned by admin. Edit". So, only those with the admin role will be able to see it.

However, you'll have to drill down into the data model and verify permissions for all the associated objects (and fields?).

0 Karma
Highlighted

Re: Why can't a non-admin user search my accelerated data model?

Path Finder

The data model which is working is owned by the same user so I'm not sure that will help but I'll give it a shot. I was able to get it working by adding in "allowoldsummaries=t" to the search, although I'm not sure why it works without it for the admin user.

|tstats summariesonly=t allow_old_summaries=t count FROM datamodel=yadayadayada
0 Karma
Highlighted

Re: Why can't a non-admin user search my accelerated data model?

Explorer

Although this led me in the right direction, it took me way too long to figure out... My issue was app1 had correct perms for the users role (not where the datamodel was created); the datamodel had correct read only perms for the user role and was global; but app2, (where the datamodel was created) was not global and did not have read only perms for the users role.

0 Karma
Highlighted

Re: Why can't a non-admin user search my accelerated data model?

New Member

What worked for me was to give the user (or rather one of the user's roles) the accelerate_search capability.,FYI, what worked in my case was to give the user (or rather one of the user's roles) the accelerate_searchcapability.

0 Karma