Reporting

How to run a savedsearch with the owner permission?

ctaf
Contributor

Hello,

I am creating a dashboard with a saved search and I want it to run with the owner permission.

Using the following works:

<table>
        <title>test with owner perm</title>
        <search ref="test"></search>
        ...
</table>

But the following doesn't:

<table>
        <title>bla bla</title>
        <search>
          <query>| savedsearch test</query>
        </search>
</table>

Unfortunately, I need to use the "savedsearch" command in order to map a token in my savedsearch. But using "savedsearch", the search is ran as the user, not the owner.

Any idea?

Labels (1)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

When you use the <search ref=".., it basically loads the run the Report itself and the user under which it'll run be decided by how it was setup (to run as owner OR run as user). You can't change the Report search or time range.

When you use the | savedsearch reportname command, it basically replaces the query of the report their itself and runs as regular query. All regular query run from the account running it so, if you're looking to run a report (parameterized) from a dashboard to run as owner instead of current user, it's not possible currently.

Workaround may be possible if you can remove the token/parameter from the query to load all results, and use post process to filter results in dashboard, but again it'll depend on your query if that is possible.

View solution in original post

0 Karma

jbrinkman
Explorer

Just ran into this as well. Having to use the ref instead of |savedsearch means I'll be pulling in quite a bit more data and then using the input of dashboard panel to filter.

ref -> can't pass variables/tokens but can run as owner of saved search
|savedsearch -> can't run as owner of saved search when passing variables/tokens

0 Karma

somesoni2
SplunkTrust
SplunkTrust

When you use the <search ref=".., it basically loads the run the Report itself and the user under which it'll run be decided by how it was setup (to run as owner OR run as user). You can't change the Report search or time range.

When you use the | savedsearch reportname command, it basically replaces the query of the report their itself and runs as regular query. All regular query run from the account running it so, if you're looking to run a report (parameterized) from a dashboard to run as owner instead of current user, it's not possible currently.

Workaround may be possible if you can remove the token/parameter from the query to load all results, and use post process to filter results in dashboard, but again it'll depend on your query if that is possible.

0 Karma

ctaf
Contributor

Thank you. I think I'll try to filter with a post process search.

0 Karma

ShaneNewman
Motivator

craf,

I am not exactly sure this is the answer to what you want but it ensures that the job returns results as the owner of the search.

| loadjob savedsearch="admin:search:MySavedSearch"

Now, this only works with scheduled saved searches and returns the results of the latest run search. https://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Loadjob

0 Karma

ctaf
Contributor

Thank you for your answer, but it's not what I'd like since it's for a search in an dashboard with potential filters (inputs, dropdown, ...) that will change my search.

0 Karma

ctaf
Contributor

Please, anyone ? 🙂

0 Karma

sundareshr
Legend

which version splunk?

0 Karma

ctaf
Contributor

6.3.3. Is there a new version that allows to do it?

0 Karma

sundareshr
Legend

I know in 6.4 you can select run as owner vs user (may have been introduced in 6.3). Having said that, the default is owner.

http://docs.splunk.com/Documentation/Splunk/6.4.3/Report/Createandeditreports

0 Karma

ctaf
Contributor

Thank you but it already exists in 6.3:
http://docs.splunk.com/Documentation/Splunk/6.3.0/Report/Createandeditreports

It's what I am using in my first example ()

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...