All Apps and Add-ons

Not listing any custom indexes

anoopdi
Path Finder

Not sure what's wrong here. When I try to create any input, the only indexes I can see is history, main and summary. The other add-ons on this instance are showing all the indexes and have a feature to type in the index name if not listed in the dropdown, I can also see all the indexes if I go to settings-->indexes. But 'Splunk Add-on for Microsoft Office 365' does not have that option.

Anyone has seen this issue? I don't have backend access to this server to edit the inputs.conf file

0 Karma
1 Solution

adalbor
Builder

If you have the app installed on a HF like us, you will need to push a copy of the indexes.conf out to them also.
This ensures that in any apps that use a dropdown for your indexes, it will populate with a list of all your indexes.

We actually have two indexes.conf, one we push only to our IDX's (in case IDX specific settings need to be there) then one copy we push to our HF's.

View solution in original post

adalbor
Builder

If you have the app installed on a HF like us, you will need to push a copy of the indexes.conf out to them also.
This ensures that in any apps that use a dropdown for your indexes, it will populate with a list of all your indexes.

We actually have two indexes.conf, one we push only to our IDX's (in case IDX specific settings need to be there) then one copy we push to our HF's.

anoopdi
Path Finder

Yea seems like thats the issue. On most of the add-on, you still have an option to type in the index if it is not listed out in the dropdown. This one is not a fun TA for sure.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi anoopdi,
usually in this app (as many others) there isn't the index= filter in eventtypes so all searches don't run until you modify eventtypes or adding all indexes to the default search path.

This second solution is quicker because you have to intervene only in one point [Settings -- Access Controls -- Roles -- your_role -- Indexes] but gives worse performances.

I prefer to intervene in eventtypes adding the index information ( index=office365 ).

Bye.
Giuseppe

sideview
SplunkTrust
SplunkTrust

I don't think this question has anything to do with eventtypes? The create input screen in the office 365 app, has an indexes pulldown. For the OP the only values he sees are history, main and summary but he doesn't know why since he does have other indexes and he sees them listed elsewhere in other apps. Possibly you know some detail leading you to believe there is some involvement with eventtypes?

0 Karma

sideview
SplunkTrust
SplunkTrust

I looked at the TA and the rest endpoint it hits to get the index list looks right to me.

to troubleshoot, go to the Search app as that same user and run this search:

| rest /services/data/indexes | fields title *

Do you see only the same 3? history, main and summary?

0 Karma

StuartMacL
Explorer

I realise this is an old thread, but apparently still relevant! I have the same issue, (and have done in the past). Previously I asked Splunk support to fix it, and they did.... After about 2 weeks. 

When I go to Indexes in the IDM, I can see all the indexes (60 of them) so the index.conf file must have been copied over to the IDM from our Search Head. However, the Office 365 app can only see the default 3, plus the one I previously asked support to make visible.

When I run your query, I only see a few - what does this mean? I have admin rights already, so that cant be the issue. I even tried adding my user to every role available!

0 Karma

pruthvikrishnap
Contributor

you will only be able to see Indexes which are enabled for your role.
if you have admin access you should see all indexes including custom indexes popping up.
while creating indexes select the role, it should resolve your issue.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...