I apologize in advance but I'm new to Splunk and took over for someone else. We just added a new log file to be ingested and it does this just fine but normal users can't see the data from this new file. It is being indexed into a index that previously existed that they do have access to other files in this index. I've verified the destination index is correct and the same as the others. The user has the compliance_role assigned and the compliance_role does have this Index selected under searched by default and restricted to. As an admin I can see the data.
I did clone the user account and I'm also seeing the same thing from the cloned account.
When I search it doesn't appear that it tries to search. It replies back No Results Found after about a second which makes me think it's permissioning. Is there anywhere that logs searches and may provide more info?
you can look in the _audit and _internal indexes for that user to see if there are any errors and which searches they ran.
Does that compliance role inherit from the user role? Or another role maybe? If the users are mapped to that role and that role has access to the index, then I'm wondering if it's missing something like the search capability?