Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Users can't see new data source in existing index

dougsummersett
New Member
‎03-19-2018 02:07 PM

I apologize in advance but I'm new to Splunk and took over for someone else. We just added a new log file to be ingested and it does this just fine but normal users can't see the data from this new file. It is being indexed into a index that previously existed that they do have access to other files in this index. I've verified the destination index is correct and the same as the others. The user has the compliance_role assigned and the compliance_role does have this Index selected under searched by default and restricted to. As an admin I can see the data.

Any ideas on why they can't see this data?

Tags (1)
0 Karma
Reply

maciep
Champion
‎03-19-2018 04:50 PM

Not that users would (accidentally) lie but have you witnessed that they can't search the data? Maybe their time range or source or sourcetype (etc) are wrong, so they just aren't getting the results?

Are there any restricted search terms in any of the roles they belong to?

Is the user running the search from the same search head as you? If not, do they have the same settings for the role?

Can you create a test account, give it that role and see results?

0 Karma
Reply

dougsummersett
New Member
‎03-19-2018 05:10 PM

I did clone the user account and I'm also seeing the same thing from the cloned account.

When I search it doesn't appear that it tries to search. It replies back No Results Found after about a second which makes me think it's permissioning. Is there anywhere that logs searches and may provide more info?

0 Karma
Reply

maciep
Champion
‎03-19-2018 05:24 PM

you can look in the _audit and _internal indexes for that user to see if there are any errors and which searches they ran.

Does that compliance role inherit from the user role? Or another role maybe? If the users are mapped to that role and that role has access to the index, then I'm wondering if it's missing something like the search capability?

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...