Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Drilldown not working for some users

LanMan6501
New Member
‎02-29-2012 11:26 AM

I created a simple report showing the top 100 IPs and their counts for a certain event. I clicked save and share results and sent the link to two other users with the same role. They are able to view the report and clicking an IP will open a new window for the drilldown, but Splunk is unable to find any hits for them. Also, when they try to execute the original search by themselves, it doesn't find anything either.

For me, it finds all the relevant events that were shown in the report when I click on an IP in the list.

I think this may be a permissions issue of some sort. I'm new to Splunk and I assumed that giving them the same role was enough. Is it not? Is there something else I'm missing?

Tags (2)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎03-05-2012 10:07 AM

If it's not a problem with permissions in the index itself, then it might be a problem permissions on knowledge objects used to run the search.

I'd check the macros and eventtypes that you're using in the search and see if those knowledge objects are shared, or if they're private only to you.

And to troubleshoot from the other direction, expand out any knowledge objects used in the search so that the search is just to basic searchterms, and see if your users can run that search. If they can then backtrack a bit and you'll narrow it down.

0 Karma
Reply

jsb22
Path Finder
‎03-01-2012 03:44 PM

It kind of sounds like they aren't able to see the actual index the data is in. Check whether the role they are in has that particular index enabled. It can be found under Manager->Access Controls->Roles-><> and take a look at the Indexes section. If they have ALL the same roles as you have, this wouldn't be the issue, but if you have an extra role, this could be the issue?

0 Karma
Reply

LanMan6501
New Member
‎03-05-2012 08:13 AM

This is a test instance with very few users. I haven't created any other roles at this point. I just checked to make sure that I didn't have something applied that they didn't, but we seemt to be identical.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...