Hi all,
I am fairly new to Splunk but i have a little bit of experiance with setting it up and making accounts and roles ect however i have hit a brick wall with this issue.
I recently created a role called basic and assigned a user to that role. As the role mentions the role is very basic and only give the user the capability to search,real time search and change their own password. At the moment the user only has access to the summary index.
Now the issue occurs when i add a user to the basic role.
Once the user is assigned and they try to log in they are unable to access the system,infact all users are unable to access the system. Users once authenticated are asked to check the web_service.log file. Searching through the log file the following errors appear
2013-01-07 09:23:24,503 WARNING [50e9f95c614829668] view:361 - An unknown view name "search_status" is referenced in the navigation definition for "search".
2013-01-07 09:23:24,503 WARNING [50e9f95c614829668] view:361 - An unknown view name "search_detail_activity" is referenced in the navigation definition for "search".
2013-01-07 09:23:24,503 WARNING [50e9f95c614829668] view:361 - An unknown view name "search_user_activity" is referenced in the navigation definition for "search".
2013-01-07 09:23:24,503 WARNING [50e9f95c614829668] view:361 - An unknown view name "search_ui_activity" is referenced in the navigation definition for "search".
2013-01-07 09:23:24,503 WARNING [50e9f95c614829668] view:361 - An unknown view name "index_status" is referenced in the navigation definition for "search".
2013-01-07 09:23:24,503 WARNING [50e9f95c614829668] view:361 - An unknown view name "index_status_health" is referenced in the navigation definition for "search".
2013-01-07 09:23:24,503 WARNING [50e9f95c614829668] view:361 - An unknown view name "indexing_volume" is referenced in the navigation definition for "search".
2013-01-07 09:23:24,503 WARNING [50e9f95c614829668] view:361 - An unknown view name "splunkd_status" is referenced in the navigation definition for "search".
2013-01-07 09:23:24,503 WARNING [50e9f95c614829668] view:361 - An unknown view name "splunkweb_status" is referenced in the navigation definition for "search".
If i go to \etc\system\local\authorize.conf and remove the role from the file, everything is back to normal, but the user will not have a role mapped to their account.
Any thoughts or help in this space will be much appreciated.
Thanks in advance,
Anu
those views are related to internal index (index=_*
) then you need either:
Thanks for that advice. The thing i find odd is that, looking at the roles that a shipped out with splunk when installed such as Power or User is that they themselves do not have access to internal indexes but everything seems fine. Eitherway I will give it a go. Thanks for your input!