Solved: Re: Different result between tow users with the sa...

jdoer · ‎01-24-2014

i have an search with two transaction

index=myindex | transaction queue_id sendmail_uid message_id maxspan=5s | search $whatever$ | transaction message_id | table message_id from to

and the result from user admin (role admin)

message_id          from                            to
1007998@re.com  ntf-16_1-info_=_schuf.com   805@nm.de
                                            info@schxxxxxx.bla
                                            v4@mailxxxxxxx.e

So ok, but an user with the role user, it seems, that the second transaction doesn't work.
He see only the events from the first transaction. Also 3 events in the example above.

the settings of this user

change_
own_password
get_metadata
get_typeahead
input_file
list_inputs
output_file
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
schedule_rtsearch
search

and he can only search the index myindex

I thing something missing, but what ?

martin_mueller · ‎01-24-2014

Make sure that user can see all the field extractions/lookups/wherever the required fields come from.

View solution in original post

martin_mueller · ‎01-24-2014

Make sure that user can see all the field extractions/lookups/wherever the required fields come from.

jdoer · ‎01-24-2014

Ah i have it.

I use fields from the app 'Syslog for Postfix' and the user-role could not read this app.
Thx martin_mueller 😄

Different result between tow users with the same search

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases