Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Setting up permissions for viewing alerts?

szabados
Communicator
‎01-15-2016 06:44 AM

Users within my environment, who have the Power user role in Splunk, can't access the results of the alert, they are getting "The view you requested could not be found." error message all the time. They have the "schedule_search" capability which I believe is the needed on for this. No matter, they try to open the link from the alert email, or from the web gui from the triggered alerts list.
Edit:
I checked in the audit.log, the only capability the user was denied is the "edit_user".
I granted this capability to the user's role, but still can't see the alert, however, the denied-lines disappeared from the log.

Reply

mgranger1
Path Finder
‎09-08-2016 01:44 PM

I'm having the exact same issue. The user is able to execute the alert search directly from the search bar, however when they attempt to open the "View Results" link in the alert email, it tells them, "The view you requested could not be found." As an administrative user, I am able to open the email link without issue, but a user or power user is unable to open the link.

0 Karma
Reply

frobinson_splun
Splunk Employee
Splunk Employee
‎01-19-2016 10:44 AM

Hi @szabados,
As a start, you could review the alert and alert action permissions that are set currently for this alert. Alerts and alert actions are knowledge objects with their own permissions. Here is some documentation:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Alert/AlertPermissions

Hope this helps!

0 Karma
Reply

szabados
Communicator
‎01-20-2016 01:39 AM

Thanks, but the concerned user's role has even write permissions (I've found this is a possible solution at a different question) for those objects.

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎01-15-2016 09:01 AM

If you see the URL which is will launched on the click of "View results in Splunk", it points to a search result in the dispatch directory. Which may have expired/removed from dispatch directory, depending upon the search job expiration. If the job is expired, you'll get that error, even as admin.

0 Karma
Reply

szabados
Communicator
‎01-19-2016 08:29 AM

Hi,

I'm afraid this is not the case. If there is a triggered alert, I can access it as an administrator, but not with a power user. The job can't be expired, because it was run like 1 minute ago, and also visible as admin.
Edit:
If I create an alert with a power user, that user can see it's own alert.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...