- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Can't Access Data From Non-Main Index Using Cu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I feel like there is a simple answer to this question, but searching has failed me.
If I have a custom app (Sideview Utils in this case), how can I access data in indexes that aren't main? I have an index named XXX and the /manager/data/indexes webpage shows it is tied to the Search app. Similarly, my YYY index is tied to the Launcher app.
In the custom app, I can only retrieve data from the main index. Even if I search for *, the data is from the main index only.
What's the right way to allow the custom app access to data in XXX and YYY indexes? I don't see permissions on the index page.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is not really app specific, it is user specific.
Settings>Access Controls>Roles>Your Role>Indexes Searched by Default - Add "All non-internal indexes
Does that help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As mentioned by ShaneNewman, Indexes are created on SPlunk instance and access is given by Role (ultimately user specific). What you have to do is to add indexes (XXX and YYY) to the role that your User Id is assigned.
Manager » Access controls » Roles » your role
In section "Indexes searched by default" and "Indexes", select the indexes XXX and YYY. and click on save. Log out and log in back and you're all set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm, this seems to work. I think the key was logging out and back in to get the changes to apply. I also learned a thing or two about the default Sideview Utils templates.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is not really app specific, it is user specific.
Settings>Access Controls>Roles>Your Role>Indexes Searched by Default - Add "All non-internal indexes
Does that help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked after I logged out and back in.
Thanks for helping me wrap my head around this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By complete coincidence, I just recently set that option to no avail. If this was the problem, then wouldn't I be able to do "index=XXX" in the Sideview Utils app's search anyway?
Can you (or someone) explain what the App field under Settings->Indexes refers to? Are indexes limited to the scope of their app?
My config files on the forwarder for XXX are in etc/apps/search so I can understand what happened there. Would moving the *.conf files have an effect?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
