I created a simple report showing the top 100 IPs and their counts for a certain event. I clicked save and share results and sent the link to two other users with the same role. They are able to view the report and clicking an IP will open a new window for the drilldown, but Splunk is unable to find any hits for them. Also, when they try to execute the original search by themselves, it doesn't find anything either.
For me, it finds all the relevant events that were shown in the report when I click on an IP in the list.
I think this may be a permissions issue of some sort. I'm new to Splunk and I assumed that giving them the same role was enough. Is it not? Is there something else I'm missing?
If it's not a problem with permissions in the index itself, then it might be a problem permissions on knowledge objects used to run the search.
I'd check the macros and eventtypes that you're using in the search and see if those knowledge objects are shared, or if they're private only to you.
And to troubleshoot from the other direction, expand out any knowledge objects used in the search so that the search is just to basic searchterms, and see if your users can run that search. If they can then backtrack a bit and you'll narrow it down.
It kind of sounds like they aren't able to see the actual index the data is in. Check whether the role they are in has that particular index enabled. It can be found under Manager->Access Controls->Roles-><
This is a test instance with very few users. I haven't created any other roles at this point. I just checked to make sure that I didn't have something applied that they didn't, but we seemt to be identical.