Even when I include the Value=* in the search, I am not able to get the token in Subject Line.
An interesting thing is - I am able to get the $result.Value$ in the message body but not Subject
... View more
In Access control, create a new role in Splunk and give the access permission on that index. Then you can assign this role to only the user you want that index to access.
You cannot achieve this without adding groups in your LDAP strategy. You need to create the group under your LDAP strategy and then map role to the new LDAP group.
Yes, "All internal indexes" does not have access to "test" index.
... View more
First I would suggest not to use -auth parameters. Run the command without -auth and see if you can make any changes.
Secondly, insufficient permissions mean that the -auth admin:{passowrd} is incorrect. To resolve the error, change the admin password on deployer and so on all the SHC members. Then you can try again.
... View more