Got these error messages with all users under one particular role "Search operation 'rangemap' is unknown. You might not have permission to run this operation" or "Search operation 'gauge' is unknown. You might not have permission to run this operation."
[role_production_support]
change_own_password = enabled
get_metadata = enabled
get_typeahead = enabled
list_inputs = enabled
request_remote_tok = enabled
rest_apps_view = enabled
rest_properties_get = enabled
rest_properties_set = enabled
search = enabled
schedule_search = enabled
srchIndexesAllowed = *
srchDiskQuota = 500
srchJobsQuota = 50
It appears this is not limited to just rangemap and gauge. It seems to be a problem with all *.py scripts on my system. My symptom was that "admin" could run all the *.py scripts located in $SPLUNK_HOME/etc/apps/search/bin, including rangemap and gauge. But regular users in any role I created could not run the scripts, even though they were set up with "read" permission and the scripts were "global".
A work-around that I used was:
Step 1. Copy rangemap.py ( likewise with gauge.py and any other *.py script you need ) from the $SPLUNK_HOME/etc/apps/search/bin directory to the $SPLUNK_HOME/etc/system/bin directory.
Step 2. Add the following stanza to $SPLUNK_HOME/etc/system/local/commands.conf:
[rangemap]
filename = rangemap.py
supports_getinfo = true
supports_rawargs = true
Step 3. Add the following stanza to $SPLUNK_HOME/etc/system/local/authorize.conf:
[capability::run_script_rangemap]
Step 4. Add the following to your custom role stanza. This is the stanza you created when you setup a new role in Splink Manager > Access Controls > Roles :
[your_role]
run_script_rangemap = enabled
Step 5. restart splunk.
This worked for me although I would not consider it a permanent fix because I would have to copy the *.py scripts again if Splunk updates them.
could you post the search?