Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does a group not see the all of the events they should see?

RedHonda03
Explorer
‎06-14-2018 12:22 PM

We have a security group that only sees a portion of the hosts they should be seeing from specified sourcetypes. For some unknown reason, when any user of this security group is looking at Windows Events sourcetypes, many of the Hosts do not show a current "Last Update" time in the Data Summary window. However, other users that are not part of the restricted security group can see all of the Hosts and the Windows Events that being forwarded for those sourcetypes.

Any suggestions as to why users in different role or security group would not see all the associated events from the same sourcetype would be helpful.

Tags (2)
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-14-2018 12:38 PM

The access restriction is done at index level, (and not at host/sourcetype level), so my question is, do you have multiple indexes where this sourcetype(s) are being logged? If there are multiple indexes and your security group doesn't have access to anyone of them, then they won't be able to see data coming from that index.

0 Karma
Reply

RedHonda03
Explorer
‎06-14-2018 01:16 PM

If I'm understanding you correctly, if a sourcetype is sending information to two seperate indexes, such as index=WinEvents and index=WebEvents, and the user role is limited to only see the WinEvents index, hosts that have data sent to another index will not be displayed for the users? Example below.

Sourcetype=WinEvents:Security
Hosts = (Generic-DC1, Generic-Server1, Generic-Server2, Desktop1, Desktop2, Desktop3)

Sourcetype=WebEvents:Outbound
Hosts = (Generic-Server2, Desktop1, Desktop2, Desktop3)

For the above information, would the user role in question only see the two hosts: Generic-DC1 and Generic-Server1 since they are not permitted to see the WebEvents index?

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎06-14-2018 01:37 PM

That is correct. They'll only see data being logged on index=WebEvents (all host/sourcetype from that index).

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...