All Apps and Add-ons

How Can I Change Permission on wineventlog Index to Give App Access?

gph12
Explorer

Hello,

I'm new to Splunk. I installed the Splunk Add on for Microsoft Windows (Splunk_TA_windows) on ourWindows Splunk server and deployed to one client via a server class. The app creates three indexes. One is called wineventlog. Problem is, I manually created an index with that name shortly after installing the server a few weeks ago.

It appears the Windows Add On App doesn't have access to the wineventlog index. Only system has access to it. I tried editing it but the option to give an app access to the index is grayed out. I disabled it and still couldn't change it. I tried deleting and creating a new one with the same name but it wouldn't delete the index either.

Based on the directions that came with the app, you can confirm whether it can search. It fails on the first and the last of the 4 searches on page 21 of the app guide (http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows page 21 of the PDF)

I'd appreciate advice on how to correct this.

Thanks,

Greg

Tags (2)
0 Karma

sapanda
Path Finder

Hello,

I am also new to plunk and had the same issue and observed that, under settings --> Access Controls --> Roles --> for the admin role, the 3 indexes which i had created manually( windows, wineventlog and perfmon) were not selected in the list of indexes to be searched by default. I added the indexes and the app was able to detect the events from the indexes durinng the guided setup.

The thing is, I had installed the Unix app as well for which I had created an index manually as well( index name : os) but that was somehow already selected in the list of searches.

Thanks,
Sapan

0 Karma

gph12
Explorer

No luck so far. Under Access Controls > Roles are the users. The windows-admin has wineventlog as a default index. Then I granted the admin account the windows-admin role but that didn't work. I opened a support request. I'll keep you posted.

Thanks,

Greg

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

ok, if you only have one server and one forwarder, it means that your search head is also your indexer, so any sort of interaction with the indexes happens on your server.

under access controls -> roles, make sure that index is selected under "Indexes searched by default".

if that still does not fix it, you should remove the definition of that index from your app's indexes.conf and restart.

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

What is your deployment client - an indexer or a forwarder?

0 Karma

gph12
Explorer

If I understand the question correctly (and I might not be since I just started using Splunk), the deployment client is the Universal Forwarder on the Windows 7 desktops and servers.

We only have one Splunk server, if that helps. It's a small network of 50 desktops and servers.

Thanks,

Greg

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!