Splunk Search

Search-App Activity-DropDown-System-Activity only viewable by Administrator

t9445
Path Finder

Hi, this is likely a noon question

In V6, "Search & Reporting" App - the menu-bar contains an "Activity" drop-down (far right next to "help"), if we are logged in as Administrator then within the "Activity" drop-down is "System Activity", otherwise it just contains "Jobs" and "Triggered Alerts"

The ability to access the Sub-Menu "Activity" (which contains essentially a great subset of the deployment-monitor/SOS apps) is only visible for the Admin user, what role-permission(s) or tweaks do we need to set on other roles (without inheriting admin directly) should we set to make that sub-menu visible please?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The "System Activity" link points to the status_index view in the search app, which by default is only visible for the admin role. You can of course change that and add other roles - make sure to make all linked pages visible as well though. Additionally, those views are going to look inside the _internal index, so that role must be able to search that as well.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Concerning #1 - as I've said in the answer, that role must be able to search the _internal index. If your role cannot do that then you need to allow that role to search it, or give the users a second role that does nothing other than allow them to search _internal.

Concerning #2 - yeah, the menu will not magically appear. However, you can drop a link to the status_index view in the regular navigation for your apps. They'll be able to use the view despite not being able to see the dropdown menu.

0 Karma

t9445
Path Finder

Hi, this does not appear to work?

  1. The user-group does have access to _internal (e.g. can run "index=_internal" queries etc) – and the user in question is a member of “other_group” (see below please).

  2. Have setup permissions to allow the user-group to have full r/w access to [views/status_index], even restarted the search-head – the user group in question cannot see the dropdown-menu still?

e.g. in /etc/apps/search/metadata/local.meta

==

[views/status_index]
access = read : [ admin, other_group ], write : [ admin, other_group ]

==

Appreciate any further advice.

Thanks

0 Karma
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...