my regular user (who is actually a member of splunk admins also) does get results when running "tag=web"
The Web datamodel is set to Everyone Read AND Write.
my regular user can see RealTime stats on the App dashboard, but if I select, for instance, Traffic->Traffic Center, none of the dashboards return any results.
Opening 1 Dashboard in Search, I try to cut the query down to any part that actually returns results.
This full query (from the Traffic dashboard, top left, Request Count By Type) returns no results:
| tstats summariesonly=t prestats=t count AS Requests FROM datamodel=Web WHERE Web.site="*" "Web.eventtype"=pageview OR "Web.eventtype"=non-pageview GROUPBY "Web.eventtype" _time span=1h | search Web.eventtype=pageview OR Web.eventtype=non-pageview | timechart span=1h count by Web.eventtype
This edited query DOES return results:
| tstats count AS Requests FROM datamodel=Web WHERE Web.site="*" "Web.eventtype"=pageview OR "Web.eventtype"=non-pageview GROUPBY "Web.eventtype" _time span=1h | search Web.eventtype=pageview OR Web.eventtype=non-pageview | timechart span=1h count by Web.eventtype
Does this provide info on where my permissions may be misaligned? summaries? prestats? I'm not familar.
FYI - Today I even rebuilt the Data Model using my regular user login, per the Documentation page (turn off accelleration, re-run Generate Sessions, turn on accelleration, run "Rebuild" - it did not change the behavior.
Thanks,
... View more