Splunk Search

Why can't a non-admin user search my accelerated data model?

john_dagostino
Path Finder

I've created two accelerated data models. As admin, I can search each of them with |tstats summariesonly=t FROM datamodel=yadayadayada, however, as a non-admin user, I can only search one of the two. If I remove summariesonly=t from the search, they are both accessible, however, for the one that's not working when I include summariesonly=t, I get no results.

I've checked the local.meta and both data models have the same permissions. Nothing of value in the _internal and _audit logs that I can find. Any ideas?

0 Karma

alinsinpalean
New Member

What worked for me was to give the user (or rather one of the user's roles) the accelerate_search capability.,FYI, what worked in my case was to give the user (or rather one of the user's roles) the accelerate_searchcapability.

0 Karma

gsopkoTC
Path Finder

My guess is that you have to set the permission of the datamodel and all associated objects to be owned by nobody. If you go to Settings->Data models and expand the datamodel in question you will see something like this: "Permissions Shared Globally. Owned by admin. Edit". So, only those with the admin role will be able to see it.

However, you'll have to drill down into the data model and verify permissions for all the associated objects (and fields?).

0 Karma

kpkeimig
Path Finder

Although this led me in the right direction, it took me way too long to figure out... My issue was app1 had correct perms for the users role (not where the datamodel was created); the datamodel had correct read only perms for the user role and was global; but app2, (where the datamodel was created) was not global and did not have read only perms for the users role.

0 Karma

john_dagostino
Path Finder

The data model which is working is owned by the same user so I'm not sure that will help but I'll give it a shot. I was able to get it working by adding in "allow_old_summaries=t" to the search, although I'm not sure why it works without it for the admin user.

|tstats summariesonly=t allow_old_summaries=t count FROM datamodel=yadayadayada
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...