From 9f2424bd01677f3cddd494f50543749ab5dade59 Mon Sep 17 00:00:00 2001 From: gjanders Date: Tue, 21 May 2024 20:20:58 +1000 Subject: [PATCH] Update savedsearches.conf --- default/savedsearches.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/default/savedsearches.conf b/default/savedsearches.conf index 7d1260b..8c35ca3 100644 --- a/default/savedsearches.conf +++ b/default/savedsearches.conf @@ -6607,7 +6607,7 @@ alert.severity = 2 counttype = number of events cron_schedule = 43 4 * * * description = Chance the alert requires action? Moderate. this alert attempts to find a list of roles that have capabilities the admin (or roles inheriting) the admin role do not have. The issue with this is that the Settings -> Users UI page, or in the /services/authentication/users REST endpoint will not show users *if* the grantableRoles setting is used on that particular role. Since this setting can be set by the UI itself it an issue can occur that some users do not appear in Settings -> Users but are cached by Splunk correctly, you just cannot see them. \ -The page https://docs.splunk.com/Documentation/Splunk/latest/Admin/authorizeconf descrbies the grantableRoles setting in more detail, this is definitely an edge case but it may be worth detecting... +The page https://docs.splunk.com/Documentation/Splunk/latest/Admin/authorizeconf describes the grantableRoles setting in more detail, this is definitely an edge case but it may be worth detecting... dispatch.earliest_time = -1d@h dispatch.latest_time = now display.events.fields = ["host","source","sourcetype"]