Hi,
When accessing recent runs of searches by link in the form of:
http_//splunkserver/sv-SE/app/appname/@go?sid=scheduler_username_identifier-at-time
Example: user john doe created the scheduled search and the link to get to it is as follows:
http_//splunkserver.se/sv-SE/app/myapp/@go?sid=scheduler_johndoe_YXZhbnphLXN1cnZlaWxsYW5jZQ__RMD5f9dd4cd6d8829f68_at_1447675200_77841
All users other than admin user and the user who scheduled the search are faced with this message following the link:
"The view you requested could not be found."
The access is made within the TTL (since it works for john doe) and I think I have full read rights on all that has tried accessing the search.
I have until now not found an answer to this and I think this appeared when upgrading from 6.2.x to 6.3.0 recently.
Thanks in advance!
/Per
Looks like you are hitting a known bug (SPL-108433), which has been addressed in maintenance release 6.3.2 and higher:
http://docs.splunk.com/Documentation/Splunk/6.3.2/ReleaseNotes/6.3.2
Looks like you are hitting a known bug (SPL-108433), which has been addressed in maintenance release 6.3.2 and higher:
http://docs.splunk.com/Documentation/Splunk/6.3.2/ReleaseNotes/6.3.2
I found the answer myself!
In accordance to http://docs.splunk.com/Documentation/Splunk/6.3.1/Report/Schedulereports the results.url is now deprecated and and reccomends use of results_link instead.
Don't know if this should have been taken care of by the migration or what but alert_actions.conf still says that the $results.url$ are passed to scripts etc.
So if anyone else has a problem with this, change results.url to results_link and it'll work.
After more digging i find that I hit some 403 when getting the search under the hood.
Was this ever resolved?
I can totally reproduce this bug.
1) using Splunk 6.3.1 have an Admin user create a savedsearch/alert.
2) Change the permissions on the saved search so that all can read and you can put the app in "All Apps".
3) Modify search to send mail to a Power user and an Admin user
4) The Admin user can see the content. The Power user will get "The view you requested could not be found."
I opened a case yesterday with Splunk about this. I believe also that it used to work and is likely a 6.2->6.3 bug.
Update: I tried on Splunk 6.3.2 and the problem is fixed.
have not yet got this to work properly by adding the "command " in all stanzas the splunk/etc/system/local/alert_action.conf. still default says $results.url$.
Reporting here when i have something working in case anyone else has the same problem
for some reason the $results_link$ and $results.url$ produce the same (non functioning) link.