https://community.splunk.com/t5/Splunk-Search/I-am-getting-mostly-info-denied-events-for-specific-users-while/m-p/426498#M191089 <P>I am getting info=denied events for specific users while searching for _audit index. What is the significance of this as users are not able to search any indexes? any leads. </P> Sat, 03 Aug 2019 00:25:39 GMT pateriaak 2019-08-03T00:25:39Z https://community.splunk.com/t5/Splunk-Search/I-am-getting-mostly-info-denied-events-for-specific-users-while/m-p/426498#M191089 <P>I am getting info=denied events for specific users while searching for _audit index. What is the significance of this as users are not able to search any indexes? any leads. </P> Sat, 03 Aug 2019 00:25:39 GMT https://community.splunk.com/t5/Splunk-Search/I-am-getting-mostly-info-denied-events-for-specific-users-while/m-p/426498#M191089 pateriaak 2019-08-03T00:25:39Z https://community.splunk.com/t5/Splunk-Search/I-am-getting-mostly-info-denied-events-for-specific-users-while/m-p/426499#M191090 <P>hi @pateriaak - Are you trying to say that the users who are getting info=denied in the _audit index are not able to search all other indexes as well, and not just the _audit index?<BR /> Most times splunk admins will restrict _audit access to most users as I won't want end users to see audit info.<BR /> But for this what i do is go to accesss controls &gt; roles and manually remove _audit index from the specified user roles.<BR /> If the affected users in your case are not able to see/search any indexes I recommend that you navigate to one of the roles and check is that role has permission set for one of the indexes that they should have access to..</P> Sat, 03 Aug 2019 07:24:01 GMT https://community.splunk.com/t5/Splunk-Search/I-am-getting-mostly-info-denied-events-for-specific-users-while/m-p/426499#M191090 Sukisen1981 2019-08-03T07:24:01Z https://community.splunk.com/t5/Splunk-Search/I-am-getting-mostly-info-denied-events-for-specific-users-while/m-p/426500#M191091 <P>hi @Sukisen1981 I was unclear in my question about _audit index, I was seeing this info=denied in _audit index for a user as a splunk admin and yes later I was able to figure out access issues causing users not able to search any indexes. thank you for your comments and sorry about being unclear initially. </P> Mon, 05 Aug 2019 15:41:05 GMT https://community.splunk.com/t5/Splunk-Search/I-am-getting-mostly-info-denied-events-for-specific-users-while/m-p/426500#M191091 pateriaak 2019-08-05T15:41:05Z https://community.splunk.com/t5/Splunk-Search/I-am-getting-mostly-info-denied-events-for-specific-users-while/m-p/426501#M191092 <P>hi @pateriaak - Glad that you figured out the issue, had to be an index permission issue.<BR /> Please accept my answer if it helps similar issue resolution in a significant way or please post your answer if you did something very different to resolve the issue , for the benefit of the forum</P> Mon, 05 Aug 2019 16:07:07 GMT https://community.splunk.com/t5/Splunk-Search/I-am-getting-mostly-info-denied-events-for-specific-users-while/m-p/426501#M191092 Sukisen1981 2019-08-05T16:07:07Z