- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- What does this bug mean?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Reading the known issues for upgrading to 6.5.3... and saw this:
2013-08-19 SPL-73386 Users are not allowed to run historical scheduled search
Workaround:
1. Create a special power/admin user who can run scheduled searches.
2. Assign this user ownership of the scheduled searches.
3. Share the searches at the app level and grant read/write permission to the correct set of users.
What does this mean exactly? ALL users can't run historical searches? Kind of a big bug, if that's the case... Is the solution saying that we need to create an additional admin/power user and then modify all searches?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The bug is poorly worded.
Basically, Splunk capabilities work exactly as intended. If a user does not have the capability to run schedule searches, even if an admin goes in and sets the restricted user's saved search to a scheduled search, the search won't run.
A bug that allowed admin to successfully set a search as scheduled for a user without that capability was fixed. Another customer that was using that "loophole" filed this bug when the loophole stopped working.
The work around to get the "loophole" back is by creating a the special "service account", giving ownership of the searches to that "service account", then giving each user that needs to modify those searches read/write permission.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The bug is poorly worded.
Basically, Splunk capabilities work exactly as intended. If a user does not have the capability to run schedule searches, even if an admin goes in and sets the restricted user's saved search to a scheduled search, the search won't run.
A bug that allowed admin to successfully set a search as scheduled for a user without that capability was fixed. Another customer that was using that "loophole" filed this bug when the loophole stopped working.
The work around to get the "loophole" back is by creating a the special "service account", giving ownership of the searches to that "service account", then giving each user that needs to modify those searches read/write permission.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome. Hat tip goes to jkat54 for pinging me about this question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I asked someone with access to Jira if they can elaborate on it for you.
I've noticed you rarely accept answers though. Can you please revisit some of your old posts such as this one?
https://answers.splunk.com/answers/405080/why-is-my-splunk-rest-api-search-not-working-and-g.html
And let some folks know if they've answered your questions by clicking on "accept answer" or responding to their answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wouldn't say rarely... as frequently as I should... probably not. Some of that is because the answers don't work, or priorities change... nature of the job, I'm afraid. I'll try to do better.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
