Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Appending to srchIndexesDefault / srchIndexesAllowed

southeringtonp
Motivator
‎09-03-2010 02:11 PM

For a given role, is there a way to add extend the list of allowed/default indexes, without specifying the entire list?

I know that this can be overriden in an app, but specifying the entire list at the app level seems like asking for trouble - sooner or later two apps will conflict.

For example, given the default configuration:

[role_admin]
srchIndexesAllowed = *;_*
srchIndexesDefault = main;os

Is there a macro or variable substitution that would allow tacking on, similar to how one would append new directories to $PATH or %PATH% in the operating system? I'd like to be able to do something like:

[role_admin]
srchIndexesAllowed = $srchIndexesAllowed$;newindex
srchIndexesDefault = $srchIndexesDefault$;newindex
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎09-03-2010 03:29 PM

Roles can inherit other roles, so in this case it would make sense to have a role that inherits the base set of indexes. For example, you could have a role_base and a role_extra_stuff:

[role_base]
srchIndexesAllowed = main
srchIndexesDefault = main

[role_extra_stuff]
importRoles=role_base
srchIndexesAllowed = new_index
srchIndexesDefault = new_index

The final index capabilities would be role_base having the base set of indexes, and role_extra_stuff having both the base and specific indexes.

View solution in original post

Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎09-03-2010 03:29 PM

Roles can inherit other roles, so in this case it would make sense to have a role that inherits the base set of indexes. For example, you could have a role_base and a role_extra_stuff:

[role_base]
srchIndexesAllowed = main
srchIndexesDefault = main

[role_extra_stuff]
importRoles=role_base
srchIndexesAllowed = new_index
srchIndexesDefault = new_index

The final index capabilities would be role_base having the base set of indexes, and role_extra_stuff having both the base and specific indexes.

Reply
Solved! Jump to solution

yoho
Contributor
‎05-31-2013 06:42 AM

Note that "importRoles=role_base" will not work, it should be "importRoles=base" instead...

Reply
Solved! Jump to solution

southeringtonp
Motivator
‎09-03-2010 05:08 PM

Does that mean that it is not possible to have a role inherit from [role_extra_stuff] and not have it be able to access new_index?

For example, what if there are settings in [role_extra_stuff] that would be also in [role_one_more]? Those settings would have to be copied into [role_one_more] directly rather than having a third level that inherits from [role_extra_stuff]. Is that right?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...