Archive

Users can't see new data source in existing index

New Member

I apologize in advance but I'm new to Splunk and took over for someone else. We just added a new log file to be ingested and it does this just fine but normal users can't see the data from this new file. It is being indexed into a index that previously existed that they do have access to other files in this index. I've verified the destination index is correct and the same as the others. The user has the compliance_role assigned and the compliance_role does have this Index selected under searched by default and restricted to. As an admin I can see the data.

Any ideas on why they can't see this data?

Tags (1)
0 Karma

Champion

Not that users would (accidentally) lie but have you witnessed that they can't search the data? Maybe their time range or source or sourcetype (etc) are wrong, so they just aren't getting the results?

Are there any restricted search terms in any of the roles they belong to?

Is the user running the search from the same search head as you? If not, do they have the same settings for the role?

Can you create a test account, give it that role and see results?

0 Karma

New Member

I did clone the user account and I'm also seeing the same thing from the cloned account.

When I search it doesn't appear that it tries to search. It replies back No Results Found after about a second which makes me think it's permissioning. Is there anywhere that logs searches and may provide more info?

0 Karma

Champion

you can look in the _audit and _internal indexes for that user to see if there are any errors and which searches they ran.

Does that compliance role inherit from the user role? Or another role maybe? If the users are mapped to that role and that role has access to the index, then I'm wondering if it's missing something like the search capability?

0 Karma