Reporting

How can we enforce auto for Schedule Window?

ddrillic
Ultra Champion

Speaking with @woodcock about this case at What time frame does the auto for Schedule Window cover?

We would like to enforce auto for the Schedule Window option.

My understating there was -

If we don't give the edit_search_schedule_window capability to anyone, all will be set to auto without the ability to change it - sounds good to me ; -)

However, we tested it and it was said -

I was doing some testing around the edit_search_schedule_window capability and in my testing, which may be inaccurate, removing that capability removed more than just the ability to leverage/modify the schedule window…it also removed the user’s ability to schedule searches. This is in light of the role still having the schedule_search capability.

Looks like this is affecting report scheduling… alert scheduling appears to be fine. More testing needed.

Tags (1)
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

I can confirm that with schedule_search capability only, we can't schedule Report. It looks like for Report Scheduling edit_search_schedule_window capability is also require. And splunk by default ships edit_search_schedule_window capability with user role, so which means that to schedule any report we require both the capabilities (edit_search_schedule_window and search) OR might be a bug ?

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

I can confirm that with schedule_search capability only, we can't schedule Report. It looks like for Report Scheduling edit_search_schedule_window capability is also require. And splunk by default ships edit_search_schedule_window capability with user role, so which means that to schedule any report we require both the capabilities (edit_search_schedule_window and search) OR might be a bug ?

0 Karma

woodcock
Esteemed Legend

I would open a support case.

0 Karma

ddrillic
Ultra Champion

Much appreciated @harsmarvania57 and @woodcock !!! I'll open a support case.

0 Karma

ddrillic
Ultra Champion

Support is saying -

-- As fas a I know I have came across this issue before and this is not a bug effectively you need both of these capabilities to be able to schedule reports.

Does it make sense?

0 Karma

woodcock
Esteemed Legend

Push back and ask them Then why bother having 2 settings instead of just 1?

0 Karma

ddrillic
Ultra Champion

oh oh @woodcock - will do ; -)

0 Karma

woodcock
Esteemed Legend

Don't get your hopes up. Also ask them to document this on the docs page somewhere.

0 Karma

ddrillic
Ultra Champion

I know. I dealt with them quite a bit - more during the Hunk period of mine ; -)

0 Karma

ddrillic
Ultra Champion

Ok, Support got back to us pointing to https://docs.splunk.com/Documentation/Splunk/7.2.4/Security/Rolesandcapabilities

it says there -

-- Schedule search -> Lets the user schedule saved searches, create and update alerts, and review triggered alert information.
edit_search_schedule_window -> Lets the user assign schedule windows to scheduled reports. Requires the schedule_search capability. For more about the search scheduler, see the Knowledge Manager Manual.

The supporter added -

-- So, maybe the fact that you need both is due to the fact that schedule reports are like a saved searches that can have schedule windows.

Let me know what you think.

0 Karma

woodcock
Esteemed Legend

Splunk documentation is unbelievably excellent in almost every area EXCEPT FOR capabilities. There is no clear mapping of exactly what each one does and which ones need to be grouped together for certain functions. We always resort to experimentation in this area. On person who has done much of this is @pmalcakdoj, who may be able to share on this topic.

pmalcakdoj
Path Finder

I haven't done any work in that particular area, so I'm not sure either.
I do echo the same sentiment as above: splunk's capabilities logic is a magic blackbox.

One potential solution to the original question could be to use CSS/JS to hide/remove the Schedule Window option from UI.
It's a bandaid fix at best, I know.

ddrillic
Ultra Champion

Much appreciated @pmalcakdoj !!!

0 Karma

ddrillic
Ultra Champion

Thank you @woodcock !!! any ideas, by any chance, @pmalcakdoj?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...