Splunk Search

how to troubleshoot role restriction presidence

hartfoml
Motivator

Somehow all users on my staging server are restricted to some kind of search term.

When I do this each on any other search head it works as expected

index=_internal host="license-master" source=*license_usage.log type="Usage" idx=foo

when I execute this on the staging system i can only get info about the "os" index and the "sos" index.

No other index is showing. There are a few other really strange things about limited search capabilities on the staging system. How too I look for search restrictions that would affect all users, even admin.

Thanks for your help

0 Karma

woodcock
Esteemed Legend

As an admin, go to Settings -> Access controls -> Roles -> user. There you will see several search restriction settings. See if these are different between the two systems and check all Roles.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...