Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Drilldown not working for some users

LanMan6501
New Member
‎02-29-2012 11:26 AM

I created a simple report showing the top 100 IPs and their counts for a certain event. I clicked save and share results and sent the link to two other users with the same role. They are able to view the report and clicking an IP will open a new window for the drilldown, but Splunk is unable to find any hits for them. Also, when they try to execute the original search by themselves, it doesn't find anything either.

For me, it finds all the relevant events that were shown in the report when I click on an IP in the list.

I think this may be a permissions issue of some sort. I'm new to Splunk and I assumed that giving them the same role was enough. Is it not? Is there something else I'm missing?

Tags (2)
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎03-05-2012 10:07 AM

If it's not a problem with permissions in the index itself, then it might be a problem permissions on knowledge objects used to run the search.

I'd check the macros and eventtypes that you're using in the search and see if those knowledge objects are shared, or if they're private only to you.

And to troubleshoot from the other direction, expand out any knowledge objects used in the search so that the search is just to basic searchterms, and see if your users can run that search. If they can then backtrack a bit and you'll narrow it down.

0 Karma
Reply

jsb22
Path Finder
‎03-01-2012 03:44 PM

It kind of sounds like they aren't able to see the actual index the data is in. Check whether the role they are in has that particular index enabled. It can be found under Manager->Access Controls->Roles-><> and take a look at the Indexes section. If they have ALL the same roles as you have, this wouldn't be the issue, but if you have an extra role, this could be the issue?

0 Karma
Reply

LanMan6501
New Member
‎03-05-2012 08:13 AM

This is a test instance with very few users. I haven't created any other roles at this point. I just checked to make sure that I didn't have something applied that they didn't, but we seemt to be identical.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...