Security

How can we add more than 50 indexes to one role in Splunk?

sarahafrin
Explorer

How can we add more than 50 indexes to one role in Splunk? I have a role for which the users in this role should be able to search 87 indexes. I have added the names of all 87 indexes in the following fields in my local authorize.conf in the deployer and pushed the config to search heads:
srchIndexesAllowed and srchIndexesDefault. However, I can see on my Splunk UI that a total of 50 indexes were only added to the role. Where can i redefine this limit, if possible?

0 Karma

koshyk
Super Champion

may be I don't know your environment, but few questions
- why more than 50 individual indexes to your role? Don't you have a naming convention for your indexes? You could just use wildcards like srchIndexesAllowed = my_web_*;my_os_* . Naming convention is a must in large environments
- Its bad practice to add so many indexes to a single role. Allocate granular roles with permissions and import those roles into a parent role. eg: team_lead_os should import from windows_only and nix_only roles etc. Each child role should have stricter indexes listed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...