Splunk Search

Why do two different users using same Sh, same app, same query, and same permissions, getting two different results?

muizash
Path Finder

Why 2 different users using same Searchhead, same app and same query and same permissions get 2 different results?
Could you please write in points the things I should troubleshoot.

Thanks

0 Karma
1 Solution

muizash
Path Finder

I cloned the user that was not able to search the complete data, gave him different username and name, and now he started fetching all the data.

THis is quiet strange by Splunk.

View solution in original post

0 Karma

muizash
Path Finder

I cloned the user that was not able to search the complete data, gave him different username and name, and now he started fetching all the data.

THis is quiet strange by Splunk.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @muizash,
try to use a past time frame (e.g. yesterday or last hour), in other words not latest=now and see if you continue to have different results.
Probably the difference is in the last ingested logs.

Ciao.
Giuseppe

0 Karma

muizash
Path Finder

I checked and found out that the user with less event count, the query is not able to fetch one particular sourcetype. How to edit permissions? @gcusello

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @muizash,
sourcetypes haven't an owner or grants.
But they are in an App, so go in [Settings -- Sourcetypes] and see in what App is your sourcetype.
Then go in [Apps -- Manage Apps -- Permissions] and enable that App for the roles you need.

Ciao.
Giuseppe

0 Karma

muizash
Path Finder

Hi @gcusello
I found that app is "learned" for that particular sourcetype.

As i mentioned both users have same set of permission, if permission was the issue, why would other person be able to see the sourcetype results?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @muizash,
did you checked if the people that see the sourcetype has the same grants ot the ones with problems?
In addition, please check if in the search you're analyzing there are knowledge objects (fields, tags, eventtypes, etc...) with different grants for the two kind of users, maybe the problem is in one of these objects.
In particular see if there's one or more knowledge object used in searches or in dedup or in stats.

Ciao.
Giuseppe

0 Karma

HiroshiSatoh
Champion

Can search statements be published?
Also check if there is an error in "Search Job Inspector".

0 Karma

muizash
Path Finder

I checked and found out that the user with less event count, the query is not able to fetch one particular sourcetype. How to edit permissions? @HiroshiSatoh

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...