- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Custom summary index not showing up in "select the...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have created a new app for one of our teams. This includes a new role dma, and new indexes dma_main and dma_summary. The dma role has been set up to search the
main;summary;dma_main;dma_summaryindexes by default.
However when users of the app (who have the dma role) try to create a new summary scheduled search, they only get a single index listed in the "select the summary index" dropdown on the "add new" search page. They cannot see the dma_summary index that they should be using. Why is this?
The dma role has been set up to inherit capabilities from "power" and "user" roles. Their inherited capabilities are listed as:
change_own_password get_metadata get_typeahead list_inputs request_remote_tok rest_apps_view rest_properties_get rest_properties_set rtsearch schedule_search search
There doesn't look like anything else in the capability list that is relevant.
Please help!
Cheers,
Glenn
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The admin user being able to see it was a clue. It turns out that the role requires "indexes_edit" capability to be able to select the summary index for writing.
This seems like a bug or inadequate granularity of permissions. I don't want a user to be able to write to anything except a summary index that they have been granted explicit read permissions to. With this capability set, they can select any index to write to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The admin user being able to see it was a clue. It turns out that the role requires "indexes_edit" capability to be able to select the summary index for writing.
This seems like a bug or inadequate granularity of permissions. I don't want a user to be able to write to anything except a summary index that they have been granted explicit read permissions to. With this capability set, they can select any index to write to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree. Can this be turned into an enhancement request?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The original question stated, "create a new summary scheduled search", and to me that means edit(write) to the dma_summary index. Perhaps it is a 'createnewbug'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is the opposite. Having to grant indexes_edit capability to any index in order to be able to select a single summary_custom_index does not make sense. In the process of granting this capability, user is now able to populate summary data to any index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Expecting write(indexes_edit) when granted only read(explicit) does not compute.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seeing this as well and it is really annoying. The admin user can see my summary index in the summary index selection dropdown. Other users can not.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
