I am in Splunk Enterprise trying to create a Dashboard in the source code.
When I input the below code it says on the UI "Unable to create search" in regards to the User: All section
Is this a user role restriction preventing me from searching all users or something else? It does not have any errors in the edit source page.
Below Code:
<form theme="dark">
<label>Splunk Search Activity</label>
<fieldset submitButton="true" autoRun="false">
<input type="time" token="time1">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
<input type="radio" token="exclude1" searchWhenChanged="true">
<label>Splunk System User</label>
<choice value="user!=splunk-system-user">exclude</choice>
<choice value="*">include</choice>
<default>user!=splunk-system-user</default>
<initialValue>user!=splunk-system-user</initialValue>
</input>
<input type="multiselect" token="user1">
<label>User:</label>
<fieldForLabel>user1</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_audit action=search
search!="'typeahead*" $exclude1$ | stats count by user</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<choice value="*">all</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter> </delimiter>
</input>
<input type="text" token="filter1">
<label>Search Filter:</label>
<default>*</default>
<initialValue>*</initialValue>
<prefix>"*</prefix>
<suffix>*"</suffix>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_audit action=search search!="'typeahead*" user="$user1$" search=$filter1$ $exclude1$
| stats count by _time user search total_run_time search_id app event_count
| sort -_time</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
Check if you've access to index=_audit. (Login as Admin, Settings-> Roles -> Role of UserInQuestion -> Indexers). Its not included by default for non-admin users.
<input type="multiselect" token="user1">
<label>User:</label>
<fieldForLabel>user1</fieldForLabel>
<fieldForValue>user</fieldForValue>
<search>
<query>index=_audit action=search
search!="'typeahead*" $exclude1$ | stats count by user</query>
<earliest>$time1.earliest$</earliest>
<latest>$time1.latest$</latest>
</search>
<choice value="*">all</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter> </delimiter>
</input>
<fieldForLabel>user1</fieldForLabel> This field is not returned by your query | stats count by user
@ITWhisperer Does that mean I need to modify the query or have that index=_audit added to my account privileges? Why is that field not being returned by the query? This specific dashboard is rated highly on GoSplunk with no comments of failure so I am not sure why that query wouldn't work on my Splunk Enterprise when it worked for others. Thank you.
If this dashboard as defined is working for others, then I suspect the fieldForLabel will be using the value in the fieldForValue is the field doesn't exist. In that case, it is more likely to be that you don't have permissions to access the index as @somesoni2 has already pointed out.
Check if you've access to index=_audit. (Login as Admin, Settings-> Roles -> Role of UserInQuestion -> Indexers). Its not included by default for non-admin users.