Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are Security Roles, Indexes not showing up on SHC?

JDukeSplunk
Builder
‎02-13-2018 11:35 AM

I have a number of indexes that only exist on the indexers. In the past, I know that I have been able to select them in the role management GUI and now they do not appear. The authorize.conf on the Search Head Cluster has them listed under the roles.

As follows.

[role_user]
srchDiskQuota = 250
srchIndexesAllowed = application;idx_appdev;idx_citrix;idx_fourd;idx_infrastructure;main;network;os;perfmon;server;wind
srchIndexesDefault = application;idx_appdev;main;perfmon;server;windows;wineventlog;winevents
srchMaxTime = 8640000

However I do not see these in the GUI. Any ideas? Do I now have to make a placeholder indexes with these names on the SHC for them to show up? Seems sloppy.

alt text

Preview file
60 KB
Reply
1 Solution
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎03-02-2018 10:26 AM

Following @teunlaan advice I placed a dumbed-down copy of my indexes.conf on the search head members. This appears to have worked. Limiting sizes, bare minimum to run. 

[perfmon]
coldPath = $SPLUNK_DB/perfmon/colddb
homePath = $SPLUNK_DB/perfmon/db
maxTotalDataSizeMB = 1000
thawedPath = $SPLUNK_DB/perfmon/thaweddb

[security]
coldPath = $SPLUNK_DB/security/colddb
homePath = $SPLUNK_DB/security/db
maxTotalDataSizeMB = 1000
thawedPath = $SPLUNK_DB/security/thaweddb

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎03-02-2018 10:26 AM

Following @teunlaan advice I placed a dumbed-down copy of my indexes.conf on the search head members. This appears to have worked. Limiting sizes, bare minimum to run. 

[perfmon]
coldPath = $SPLUNK_DB/perfmon/colddb
homePath = $SPLUNK_DB/perfmon/db
maxTotalDataSizeMB = 1000
thawedPath = $SPLUNK_DB/perfmon/thaweddb

[security]
coldPath = $SPLUNK_DB/security/colddb
homePath = $SPLUNK_DB/security/db
maxTotalDataSizeMB = 1000
thawedPath = $SPLUNK_DB/security/thaweddb
0 Karma
Reply
Solved! Jump to solution

mehuls93
Engager
‎05-25-2020 06:35 AM

Did not worked for me.
Facing the same issue.
Did you updated the indexes.conf on all nodes of SH-C

0 Karma
Reply
Solved! Jump to solution

teunlaan
Contributor
‎02-14-2018 05:44 AM

" Do I now have to make a placeholder indexes with these names on the SHC for them to show up? "

Correct.
Just place a copy of you indexes.conf from the indexers in your SHC

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-14-2018 07:30 AM

Hi @teunlaan, not sure about that -

-- Just place a copy of you indexes.conf from the indexers in your SHC

Looking at a functioning cluster at one SH and I see -

cd /opt/splunk/etc
$ find . -name indexes.conf
./system/local/indexes.conf
./system/default/indexes.conf
./master-apps/_cluster/default/indexes.conf
./apps/<app name1>/default/indexes.conf
./apps/<app name2>/default/indexes.conf

The real indexes.conf is nowhere to be found.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...