i have an search with two transaction
index=myindex | transaction queue_id sendmail_uid message_id maxspan=5s | search $whatever$ | transaction message_id | table message_id from to
and the result from user admin (role admin)
message_id from to
1007998@re.com ntf-16_1-info_=_schuf.com 805@nm.de
info@schxxxxxx.bla
v4@mailxxxxxxx.e
So ok, but an user with the role user, it seems, that the second transaction doesn't work.
He see only the events from the first transaction. Also 3 events in the example above.
the settings of this user
and he can only search the index myindex
I thing something missing, but what ?
Make sure that user can see all the field extractions/lookups/wherever the required fields come from.
Make sure that user can see all the field extractions/lookups/wherever the required fields come from.
Ah i have it.
I use fields from the app 'Syslog for Postfix' and the user-role could not read this app.
Thx martin_mueller 😄