Splunk Enterprise

What does this bug mean?

a212830
Champion

Hi,

Reading the known issues for upgrading to 6.5.3... and saw this:

2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search

Workaround:
1. Create a special power/admin user who can run scheduled searches.
2. Assign this user ownership of the scheduled searches.
3. Share the searches at the app level and grant read/write permission to the correct set of users.

What does this mean exactly? ALL users can't run historical searches? Kind of a big bug, if that's the case... Is the solution saying that we need to create an additional admin/power user and then modify all searches?

Tags (2)
0 Karma
1 Solution

nnmiller
Contributor

The bug is poorly worded.

Basically, Splunk capabilities work exactly as intended. If a user does not have the capability to run schedule searches, even if an admin goes in and sets the restricted user's saved search to a scheduled search, the search won't run.

A bug that allowed admin to successfully set a search as scheduled for a user without that capability was fixed. Another customer that was using that "loophole" filed this bug when the loophole stopped working.

The work around to get the "loophole" back is by creating a the special "service account", giving ownership of the searches to that "service account", then giving each user that needs to modify those searches read/write permission.

View solution in original post

nnmiller
Contributor

The bug is poorly worded.

Basically, Splunk capabilities work exactly as intended. If a user does not have the capability to run schedule searches, even if an admin goes in and sets the restricted user's saved search to a scheduled search, the search won't run.

A bug that allowed admin to successfully set a search as scheduled for a user without that capability was fixed. Another customer that was using that "loophole" filed this bug when the loophole stopped working.

The work around to get the "loophole" back is by creating a the special "service account", giving ownership of the searches to that "service account", then giving each user that needs to modify those searches read/write permission.

a212830
Champion

Thanks.

0 Karma

nnmiller
Contributor

You're welcome. Hat tip goes to jkat54 for pinging me about this question.

0 Karma

jkat54
SplunkTrust
SplunkTrust

I asked someone with access to Jira if they can elaborate on it for you.

I've noticed you rarely accept answers though. Can you please revisit some of your old posts such as this one?

https://answers.splunk.com/answers/405080/why-is-my-splunk-rest-api-search-not-working-and-g.html

And let some folks know if they've answered your questions by clicking on "accept answer" or responding to their answer.

0 Karma

a212830
Champion

I wouldn't say rarely... as frequently as I should... probably not. Some of that is because the answers don't work, or priorities change... nature of the job, I'm afraid. I'll try to do better.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...