Splunk Search

Timechart does not work correctly with another user

sergeimartao
Explorer

I created several objects with my local splunk user and everything is working as expected.
I need to share all items with other users, however when using timechart the data does not match!

Summarizing the search with my login timechart works normal and the search with the other logins timechart of this search does not work, even the other users try admin permission.
I would like to know if there is any place to check where the problem is occurring, since I already check in jobs inspect and saw no difference.

One note that both searches return the same event number 5016.

Example of the difference between searches.

index=csv sourcetype=csv source="/opt/splunk/var/run/splunk/csv/cracha/file-*.csv" DtaDemissao=NULL NomFilial="Filial São Paulo 2 - 0004-07"
| rename IdtUsuario as Account_Login
| join type=left Account_Login [ search index=main | `pesquisaloginsads` NOT `IPsTelefonia` | table Account_Login Client_Address ]
| rename Account_Login as Login NomProfissional as Nome NumMatrProfissional as Matricula NomAlocacao as Alocacao NomFilial as Filial NomProfissionalGESTOR as Gestor QtdBatidaCracha as Batidas 
| table _time Login Nome Matricula Alocacao Filial NomLocalTrabalho Gestor Batidas Client_Address DtaBatidaCracha
| where isnotnull(Client_Address) AND NOT like (Client_Address, "::1") OR NOT like (Batidas, "0")
| timechart count by Filial span=1d

alt text

alt text

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Usually, this is a permissions problem. Verify all of the objects you created for this search are shared (not "Private") as even Admins cannot use private objects.

BTW, for better performance, replace table with fields in your search.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Usually, this is a permissions problem. Verify all of the objects you created for this search are shared (not "Private") as even Admins cannot use private objects.

BTW, for better performance, replace table with fields in your search.

---
If this reply helps you, Karma would be appreciated.
0 Karma

sergeimartao
Explorer

I agree with you regarding permissions, but make sure the objects are all allowed globally.
I even tested the objects separately and they all work.

I can't understand why search works normally with both users, the problem is only the moment I add the last line with timechart.

Can you tell if there is any other way to debug this problem?

Thanks for the remark about the fields, had forgotten that feature.

tks!

alt text

0 Karma

sergeimartao
Explorer

Well, the report is back in business.

The only thing I did was redo the account_login field extraction.

But honestly this is still strange to me because I had tested this extraction and it was working normally.

Thank you for your help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...