Reporting

After upgrading from Splunk 6.2.x to 6.3.0, why are scheduled searches by users not accessible to others? "The view you requested could not be found."

nirmah
Explorer

Hi,

When accessing recent runs of searches by link in the form of:
http_//splunkserver/sv-SE/app/appname/@go?sid=scheduler_username_identifier-at-time

Example: user john doe created the scheduled search and the link to get to it is as follows:
http_//splunkserver.se/sv-SE/app/myapp/@go?sid=scheduler_johndoe_YXZhbnphLXN1cnZlaWxsYW5jZQ__RMD5f9dd4cd6d8829f68_at_1447675200_77841

All users other than admin user and the user who scheduled the search are faced with this message following the link:

"The view you requested could not be found."

The access is made within the TTL (since it works for john doe) and I think I have full read rights on all that has tried accessing the search.

I have until now not found an answer to this and I think this appeared when upgrading from 6.2.x to 6.3.0 recently.

Thanks in advance!
/Per

1 Solution

splunkIT
Splunk Employee
Splunk Employee

Looks like you are hitting a known bug (SPL-108433), which has been addressed in maintenance release 6.3.2 and higher:
http://docs.splunk.com/Documentation/Splunk/6.3.2/ReleaseNotes/6.3.2

View solution in original post

0 Karma

splunkIT
Splunk Employee
Splunk Employee

Looks like you are hitting a known bug (SPL-108433), which has been addressed in maintenance release 6.3.2 and higher:
http://docs.splunk.com/Documentation/Splunk/6.3.2/ReleaseNotes/6.3.2

0 Karma

nirmah
Explorer

I found the answer myself!

In accordance to http://docs.splunk.com/Documentation/Splunk/6.3.1/Report/Schedulereports the results.url is now deprecated and and reccomends use of results_link instead.

Don't know if this should have been taken care of by the migration or what but alert_actions.conf still says that the $results.url$ are passed to scripts etc.

So if anyone else has a problem with this, change results.url to results_link and it'll work.

nirmah
Explorer

After more digging i find that I hit some 403 when getting the search under the hood.

0 Karma

SplunkShawnCt
Explorer

Was this ever resolved?

0 Karma

burwell
SplunkTrust
SplunkTrust

I can totally reproduce this bug.

1) using Splunk 6.3.1 have an Admin user create a savedsearch/alert.
2) Change the permissions on the saved search so that all can read and you can put the app in "All Apps".
3) Modify search to send mail to a Power user and an Admin user
4) The Admin user can see the content. The Power user will get "The view you requested could not be found."

I opened a case yesterday with Splunk about this. I believe also that it used to work and is likely a 6.2->6.3 bug.

0 Karma

burwell
SplunkTrust
SplunkTrust

Update: I tried on Splunk 6.3.2 and the problem is fixed.

0 Karma

nirmah
Explorer

have not yet got this to work properly by adding the "command " in all stanzas the splunk/etc/system/local/alert_action.conf. still default says $results.url$.
Reporting here when i have something working in case anyone else has the same problem

0 Karma

nirmah
Explorer

for some reason the $results_link$ and $results.url$ produce the same (non functioning) link.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...