What si "All non Internal Indexes" in splunk, that...

sarnagar · ‎08-02-2018

1) Firstly
Whats the difference between
"All non Internal Indexes"
and
"All Internal Indexes"
2)

I have 3 Roles "A" and "B" and "C"

Role "A" - with
Capabilities-
accelerate_search
change_own_password
edit_search_schedule_window
export_results_is_visible
extra_x509_validation
get_metadata
get_typeahead
input_file
output_file
pattern_detect
request_remote_tok
rest_apps_view
rest_properties_get
rest_properties_set
schedule_rtsearch
search
Default index - main
the Indexes selected as "All non Internal Indexes"

Role B
inherit role: A
Capability:
schedule_search
rtsearch
Index Default: A
Indexes: A, B

Role C;
inherit role: A
Capability:
schedule_search
rtsearch
Indexes default: C
Indexes: B,C

A test user1 with role A can view index A
user2 with role B can view index A
But user3 with role C cant view index A.
Why? user3 inherits Role A

teunlaan · ‎08-02-2018

"All non Internal Indexes" = All indexes but NOT _* indexes
"All Internal Indexes" = All _* indexes (splunks own indexes)

user3 should have access too index A

What si "All non Internal Indexes" in splunk, that is present under Indexes in a Role

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk