I have certain users that are not able to see populated dashboards in the app. For example, my Sec_User can see the overview page (as can my admin user) but when my Sec_User goes to the "Traffic Dashboard" it is empty (my admin user can see the populated dashboard) and when Sec_User runs a search for threat events i get data back running this search index=pan_logs sourcetype=*threat*
When Sec_User clicks down into the "Protocols Over Time" panel they get no results. The job inspect looks like this This search has completed, but did not match any events. The terms specified in the highlighted portion of the search:
None | tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.traffic.end" groupby _time log.protocol span=5m | timechart span=5m values(count) by log.protocol
When the admin userclicks down into the same panel results are returned. At first i thought the Sec_User didnt have permissions for the macro or datamodel but the Sec_User has write permissions on the entire app. I'm not sure why they cant see the dashboard though. Any help would be appreciated, and feel free to ask questions regarding my settings.
Thank you.
Since both users can see the data in the index (ie. the Overview dashboard) it doesn't seem to be an issue with index permissions.
But Sec_User can't see the other dashboards which pull from the datamodel, not the index. So it is most likely a permission issue with the datamodels. Even if the user has full permissions on the App, the datamodel has its own permissions which could interfere. Check the datamodel permissions to see what roles are permitted to view it.
Splunk support should be able to help further if you get stuck. This isn't an app-specific issue, but is a configuration question with Splunk Enterprise permissions which they should be able to assist with.
Everyone has Read permissions and Sec_User specifically (along with admin and power) have write permissions. I might have to open a support ticket. I figured I would come her first
The above is in regard to the datamodel that is pulled in the Threat Dashboard panel which is stated in the "job inspect" page.
None | tstats summariesonly=t count FROM datamodel="pan_firewall" WHERE nodename="log.traffic.end" groupby _time log.protocol span=5m | timechart span=5m values(count) by log.protocol
That's right, the "pan_firewall" datamodel. Sounds correctly configured to me, and the data is clearly there since the admin user can see it. Sounds like a support ticket would help here, very interested to hear what you find out.
Hi did you create roles for your users? Make sure the Indexes searched by default
is available to the role for your Sec_user
Sec_User has access to all non-internal by default
try adding pan_log index to the default search for sec_user
I added pan_logs to the default searchable indexes (even though "all non-internal indexes" was already selected). Same thing no results on the Traffic Dashboard