- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why can't a non-admin user search my accelerated d...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why can't a non-admin user search my accelerated data model?
I've created two accelerated data models. As admin, I can search each of them with |tstats summariesonly=t FROM datamodel=yadayadayada, however, as a non-admin user, I can only search one of the two. If I remove summariesonly=t from the search, they are both accessible, however, for the one that's not working when I include summariesonly=t, I get no results.
I've checked the local.meta and both data models have the same permissions. Nothing of value in the _internal and _audit logs that I can find. Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What worked for me was to give the user (or rather one of the user's roles) the accelerate_search capability.,FYI, what worked in my case was to give the user (or rather one of the user's roles) the accelerate_searchcapability.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My guess is that you have to set the permission of the datamodel and all associated objects to be owned by nobody. If you go to Settings->Data models and expand the datamodel in question you will see something like this: "Permissions Shared Globally. Owned by admin. Edit". So, only those with the admin role will be able to see it.
However, you'll have to drill down into the data model and verify permissions for all the associated objects (and fields?).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Although this led me in the right direction, it took me way too long to figure out... My issue was app1 had correct perms for the users role (not where the datamodel was created); the datamodel had correct read only perms for the user role and was global; but app2, (where the datamodel was created) was not global and did not have read only perms for the users role.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The data model which is working is owned by the same user so I'm not sure that will help but I'll give it a shot. I was able to get it working by adding in "allow_old_summaries=t" to the search, although I'm not sure why it works without it for the admin user.
|tstats summariesonly=t allow_old_summaries=t count FROM datamodel=yadayadayada
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
