Only saved searches owned by user or global shared ones showing up

[danoe]

Instead of showing only searches owned by the user and global shared searches, all searches the user has access to should be shown.

[mayurah]

Hi @danoe, we tried to replicate the behavior by creating user with role 'user' and SavedSearches created by other users with different roles.

We observed that we are infact getting the same number of saved search in WDC connector as what we see in Splunk for that user.

Also things you may want to check:

• Permissions of SavedSearch you are not able to see in connector.
• You can even use Splunk Search (SPL) in "Custom SPL" section of connector.

Added screenshot for your reference!

Hope this helps!

[danoe]

Thank you for the quick response, that looks correct indeed. I’ll have to dig deeper then why the searches didn’t show for me. I could see them on the splunk UI but they only appeared in the WDC dropdown after changing sharing to global.

I guess this issue can be closed for now. Thanks again. If i find out what was the issue in my case, I’ll post it here.

[danoe]

@mayurah, could you check this again, there really is something wrong.

I've found out that for me it only shows 19 searches in the WDC and looking into our splunk instance these 19 searches are the only ones that were

a) created accidentally by some users within the default splunk "Search & Reporting" App b) were shared with "global" permission

As seen on your screenshot you're also only looking at searches within your "Search & Reporting" App.

[mayurah]

This is community supported project.

WDC is using Splunk API to retrieve Saved Search, can you check what API returns for you via https://splunk-ip:8089/services/saved/searches, and if there's anything missing.

As an alternative to picking SavedSearch, have you checked custom query option? you can use SPL to write custom Query in WDC.

[danoe]

Thanks @mayurah, indeed it shows only the same 19 search through the api. As far as i know that is due to this endpoint working within the default namespace and default app "search".

The Endpoint to access saved searches from other apps would be through namespaces. https://splunk-ip:8089/servicesNS/mySplunkUser/mySplunkApp/saved/searches/ or when using wildcard https://splunk-ip:8089/servicesNS/-/-/saved/searches/

Docs: http://docs.splunk.com/Documentation/Splunk/latest/RESTUM/RESTusing#Namespace

Unfortunately I'm not sure how to access that through the JS SDK.

My first idea was something like, having a drop down menu that lists all the apps namespaces to choose and then request all the saved searches within that namespace.