- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Why are Triggered Alerts not getting deleted by a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are Triggered Alerts not getting deleted by a non-Owner User?
Hi,
We have the following scenario:
A User X mapped to Role A, creates a Scheduled Search that triggers an Alert 5 times in a Day. These are listed in the Triggered Alerts section, with Owner as User X. We have other Users Y and Z, also mapped to role A, who are able to view these Alerts in the Triggered Alerts section. These Users Y and Z are able to view results for these Alerts, they are able to edit the underlying scheduled search as well. But they are not able to Delete those Alerts. The Alerts can only be deleted by either the Owner X, or by a User mapped to admin Role.
We do not wish to give Users Y and Z an admin access, but we want them to be able to deleted these Alerts, as they are also mapped to the same Role A, as the User X.
Could someone please suggest what could be done in this scenario? We have tried assigning power role to Users Y and Z, but even that did not work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When setting permissions to your alert, make sure that role A can Read and write the alert, by simply check the read and the write box in front of Role A.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Read and Write both are checked for Role A. This just enables users Y and Z to be able to modify the underlying search. But not to delete the triggered alert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add the Admin_all_objects capability to the Role A on Settings--- Access control---Role ---Role A and click on admin_all_objects at the left side of the Capabilities box, to make it appear at the ritht side, and save.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assigning the admin_all_objects capabilities enables the Users with Role A to be able to view some system settings, distributed settings, etc as well, which we don't want. As of now, assigning the Owner to 'nobody' for the scheduled searches has worked for me. Does having 'nobody' as Owner have any adverse impact?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no impact. It just Means that Every one and Admin can edit your scheduled searche.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
