Knowledge Management

Setting Write Permission on an Index - to be used as a Summary Index

gn694
Communicator

I have created three new indexes (to be used as summary indexes for someone's saved searches.)
When I (as a member of the Admin role in Splunk) go to create a new Saved Search, I am able to select these new indexes from the "Select the summary index" drop-down list.

When the user that I created these indexes for attempts to select a summary index, their only option is the default summary index "summary."
This user is a member of a role with srchIndexesAllowed = *
I know srchIndexesAllowedis a read permission. How do I set a write permission for the role on these new summary indexes so they can select them to be used in their saved searches?

vbumgarner
Contributor

This just came up for me. Apparently the user has to have the "indexes_edit" capability.

That's not so great. Indexes don't have permissions like other objects at this point. Perhaps they should? Read instead of adding read access at the role level? Write to allow collect to function, and therefore summary indexing?

The confusing thing would be that this setting simply couldn't apply at index time, since events don't have permissions when they arrive at the indexers.

gn694
Communicator

When I look at the role in the web GUI (Manager » Access controls » Roles), the very last item is titled "Indexes" and provides a list of "available indexes" which lists all of the indexes from which we can select indexes available to the role. The "Selected search indexes" for this role is "All non-internal indexes" - this is because in authorize.conf, we have specified the role has srchIndexesAllowed=*.

0 Karma

lguinn2
Legend

Sorry, that was my only suggestion! Commenting to bump this thread - hopefully someone else can help!

0 Karma

lguinn2
Legend

Check the allowed indexes for the role; it's the last item in the role configuration. Do the new summary indexes appear in the list as allowed for this role? If not, then the user will not be able to "see" the indexes, much less write to them, regardless of their permissions.

Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...