two indexes

LoganRhamy · ‎03-29-2018

A power user cannot get results from index=* or index=foo OR index=bar when an admin can

Below is the authorize.conf changes

[role_user]
srchMaxTime = 8640000
srchDiskQuota = 250

[role_admin]
srchIndexesDefault = main
srchMaxTime = 8640000

[role_power]
cumulativeRTSrchJobsQuota = 400
cumulativeSrchJobsQuota = 200
srchFilter = *
srchMaxTime = 8640000

When the power user runs the query they are getting results from foo index but nothing from bar index. When the Power user run index=foo he gets results and when he runs index=bar he gets results.

When the admin user run the query they are getting results from both foo and bar indexes.

Let me know what I might be missing to get the fixed for our power users.

Best regards,
Logan Rhamy

tiagofbmm · ‎03-29-2018

Hey

The power user with a index=* will get its default indexes, which if you haven;t changed them, are only main. So if you are searching index=* and aren't getting results from one index, it means you may need to add bar index to srchIndexesAllowed for the role power_user.

LoganRhamy · ‎03-29-2018

Thank you for the quick answer. When Power user searches bar alone he gets results. I assume that would mean he has access to search that index. Let me know if I am mistaken.

tiagofbmm · ‎03-29-2018

Yes it does mean he can get data from that index indeed. No errors occur in that search? Are you sure both searches time ranges are the same?

LoganRhamy · ‎03-29-2018

Yes it is a dashboard search that is just opened in search so we are 100% sure of the match query and time frame.

No errors occur besides the lack of results from one of the indexes

two indexes

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes