- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- importRoles doesn't inherit srchDiskQuota and srch...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
importRoles doesn't inherit srchDiskQuota and srchJobsQuota.
I configured a new role to inherit new default settings but the srchDiskQuota and srchJobsQuota is not being honored by the new role. Anyone else seen this issue?
Basically:
[role_base]
srchDiskQuota = 1000
srchJobsQuota = 5
[role_new]
importRoles = base
Result:
[role_new]
srchDiskQuota = 100
srchJobsQuota = 3
(these are the defaults that ship with Splunk)
SPL-136568
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is how it is supposed to work.
The documentation says that role inheritance applies to capabilities and indexes. The other settings are not inherited.
That would be my experience as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Crazy. I'd like to highlight another spot in official documentation confirming that roles' settings are imported:
(v 7.1.2)
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf
srchTimeWin =
* Maximum time span of a search, in seconds.
* This time window limit is applied backwards from the latest time
specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
(infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for
this role
* This is equivalent to not setting srchTimeWin at all, which means it
can be easily overridden by an imported role
Also, in my Splunk, "User-level concurrent search jobs limit" is successfully inherited from parent role, tested.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting. I wonder if this is then a bug in a previous version that they didn't want to acknowledge as a bug but secretly fixed. It has happened.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you point to the section of documentation that indicates only capabilities and indexes are inherited? I didn't interpret the spec file in that way.
importRoles =
* Semicolon delimited list of other roles and their associated capabilities that should be imported.
* Importing other roles also imports the other aspects of that role, such as allowed indexes to search.
* By default a role imports no other roles.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This bit me recently as well; the documentation piece that implies all parts of a role should be imported is Importing other roles also imports the other aspects of that role, such as allowed indexes to search.
I can't think why it actually works like it does. I create a templated role and use that as my import for other roles and then I have to go to those other roles anyway and fill in all the stuff that wasn't part of the import with the same exact values.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
