All Apps and Add-ons

Certain users not able to see data - PaloAlto App

JScordo
Path Finder

I have certain users that are not able to see populated dashboards in the app. For example, my Sec_User can see the overview page (as can my admin user) but when my Sec_User goes to the "Traffic Dashboard" it is empty (my admin user can see the populated dashboard) and when Sec_User runs a search for threat events i get data back running this search index=pan_logs sourcetype=*threat*

When Sec_User clicks down into the "Protocols Over Time" panel they get no results. The job inspect looks like this This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:

None | tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.traffic.end" groupby _time log.protocol span=5m | timechart span=5m values(count) by log.protocol

When the admin userclicks down into the same panel results are returned. At first i thought the Sec_User didnt have permissions for the macro or datamodel but the Sec_User has write permissions on the entire app. I'm not sure why they cant see the dashboard though. Any help would be appreciated, and feel free to ask questions regarding my settings.

Thank you.

0 Karma

btorresgil
Builder

Since both users can see the data in the index (ie. the Overview dashboard) it doesn't seem to be an issue with index permissions.

But Sec_User can't see the other dashboards which pull from the datamodel, not the index. So it is most likely a permission issue with the datamodels. Even if the user has full permissions on the App, the datamodel has its own permissions which could interfere. Check the datamodel permissions to see what roles are permitted to view it.

Splunk support should be able to help further if you get stuck. This isn't an app-specific issue, but is a configuration question with Splunk Enterprise permissions which they should be able to assist with.

0 Karma

JScordo
Path Finder

Everyone has Read permissions and Sec_User specifically (along with admin and power) have write permissions. I might have to open a support ticket. I figured I would come her first

0 Karma

JScordo
Path Finder

The above is in regard to the datamodel that is pulled in the Threat Dashboard panel which is stated in the "job inspect" page.

None | tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.traffic.end" groupby _time log.protocol span=5m | timechart span=5m values(count) by log.protocol

0 Karma

btorresgil
Builder

That's right, the "pan_firewall" datamodel. Sounds correctly configured to me, and the data is clearly there since the admin user can see it. Sounds like a support ticket would help here, very interested to hear what you find out.

0 Karma

panguy
Contributor

Hi did you create roles for your users? Make sure the Indexes searched by default
is available to the role for your Sec_user

0 Karma

JScordo
Path Finder

Sec_User has access to all non-internal by default

0 Karma

panguy
Contributor

try adding pan_log index to the default search for sec_user

0 Karma

JScordo
Path Finder

I added pan_logs to the default searchable indexes (even though "all non-internal indexes" was already selected). Same thing no results on the Traffic Dashboard

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...