- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why other users cannot see results from dashboard ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you are using Splunk 6. I believe your first error relates to a not widely known 'feature' where saved searches used in a dashboard are run with the permissions of the saved search owner NOT as the person interacting with the dashboard - this includes the concurrent searches setting. It appears as though when somewhere between 1x and 2x your concurrent search limit is hit the remaining dashboard panels will display the error you are seeing. So if your dashboard had 6 panels and your concurrent search setting is 2 people might see anywhere between 2 and 4 panels populated and the remaining ones will display the error. At least that has been my experience. You can use this to your favor if you want to give people visibility to data or aggregate/summary views they might not otherwise have from a permissions standpoint and then disable drilldowns on the panel to avoid issues with them trying to interact with the data. As you've found, inline searches in a dashboard are run with the permissions of the person interacting with the dashboard.
As to why they aren't seeing results. It sounds like they are able to open the dashboard but if not make sure the dashboard itself is not set as private. The second step is to make sure they can generally see the logs you are referencing whether that is index, sourcetype, or host related. The third step as Martin points out is make sure any fields (field extractions) you are using are available to the others.
Troubleshooting these sorts of things can be a pain. Generally if others have admin rights but aren't able to see something it is because there is some config that is marked private. This saves things 'physically' in a different location than if you saved something either in the app or global but limit access (i.e. to just admins). Sounds like you have admin rights. Have you created a test account and give that the permissions of someone else who isn't able to see your content?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like you are using Splunk 6. I believe your first error relates to a not widely known 'feature' where saved searches used in a dashboard are run with the permissions of the saved search owner NOT as the person interacting with the dashboard - this includes the concurrent searches setting. It appears as though when somewhere between 1x and 2x your concurrent search limit is hit the remaining dashboard panels will display the error you are seeing. So if your dashboard had 6 panels and your concurrent search setting is 2 people might see anywhere between 2 and 4 panels populated and the remaining ones will display the error. At least that has been my experience. You can use this to your favor if you want to give people visibility to data or aggregate/summary views they might not otherwise have from a permissions standpoint and then disable drilldowns on the panel to avoid issues with them trying to interact with the data. As you've found, inline searches in a dashboard are run with the permissions of the person interacting with the dashboard.
As to why they aren't seeing results. It sounds like they are able to open the dashboard but if not make sure the dashboard itself is not set as private. The second step is to make sure they can generally see the logs you are referencing whether that is index, sourcetype, or host related. The third step as Martin points out is make sure any fields (field extractions) you are using are available to the others.
Troubleshooting these sorts of things can be a pain. Generally if others have admin rights but aren't able to see something it is because there is some config that is marked private. This saves things 'physically' in a different location than if you saved something either in the app or global but limit access (i.e. to just admins). Sounds like you have admin rights. Have you created a test account and give that the permissions of someone else who isn't able to see your content?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's caused by source type renaming permissions, thank you very much for the detailed answers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A common cause is privately defined configuration objects, such as field extractions or lookups. Without them another user sees your dashboard and searches, but would not get the desired data extracted for reporting.
Make sure those objects are shared with whoever is able to read the dashboard.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I previously created some reports with global access, then create a dashboard using those reports. The dashboard is also global accessible. But not sure why some of the reports always failed with error: "In handler 'savedsearch':error while dispatching search" so I cannot use it. Instead, I use inline searches in the dashboard. It's good to get result as created user, however, no result found when opening the dashboard as another user, no matter admin or general user. Any idea about it? Any other settings necessary for other users to see result from inline searches?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
