Splunk Enterprise Security

Splunk Enterprise Security: Why am I receiving "Search could not be updated: [HTTP 500]" error when trying to save correlation search as ess_admin?

droth333
Explorer

In Splunk Enterprise Security (ES), we cannot save a correlation search as a user with ess_admin. This works if user is admin.

The navigation is: ES/Configure/Content Management/Create new Content/Correlation Search//Save

The full error is displayed in error bar in the UI:

Search could not be updated: [HTTP 500] Splunkd internal error; [{'type': 'ERROR', 'code': None, 'text': 'Unexpected error "" from python handler: "[HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/SA-ThreatIntelligence/storage/collections/data/correlations.... See splunkd.log for more details.'}]

There is not much more in splunkd.log

Is "configuration" change actually a literal "admin" function?
We want to make all "users" of ES to be at most ess_admin.

Thanks,
Dave

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee

You cannot assign ess_admin to users. " You must use a Splunk platform admin role to administer an Enterprise Security installation." See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Configuring_user_roles

If you want ess_analyst users to be able to edit correlation searches, grant them that capability on the ES Permissions page. See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Add_capabilities_to_a_role

View solution in original post

smoir_splunk
Splunk Employee
Splunk Employee

You cannot assign ess_admin to users. " You must use a Splunk platform admin role to administer an Enterprise Security installation." See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Configuring_user_roles

If you want ess_analyst users to be able to edit correlation searches, grant them that capability on the ES Permissions page. See http://docs.splunk.com/Documentation/ES/4.5.1/Install/ConfigureUsersRoles#Add_capabilities_to_a_role

droth333
Explorer

Thanks smoir! Much much more clear now! Also for thanks for quick response.

0 Karma
Get Updates on the Splunk Community!

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...