Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are Security Roles, Indexes not showing up on SHC?

JDukeSplunk
Builder
‎02-13-2018 11:35 AM

I have a number of indexes that only exist on the indexers. In the past, I know that I have been able to select them in the role management GUI and now they do not appear. The authorize.conf on the Search Head Cluster has them listed under the roles.

As follows.

[role_user]
srchDiskQuota = 250
srchIndexesAllowed = application;idx_appdev;idx_citrix;idx_fourd;idx_infrastructure;main;network;os;perfmon;server;wind
srchIndexesDefault = application;idx_appdev;main;perfmon;server;windows;wineventlog;winevents
srchMaxTime = 8640000

However I do not see these in the GUI. Any ideas? Do I now have to make a placeholder indexes with these names on the SHC for them to show up? Seems sloppy.

alt text

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎03-02-2018 10:26 AM

Following @teunlaan advice I placed a dumbed-down copy of my indexes.conf on the search head members. This appears to have worked. Limiting sizes, bare minimum to run. 

[perfmon]
coldPath = $SPLUNK_DB/perfmon/colddb
homePath = $SPLUNK_DB/perfmon/db
maxTotalDataSizeMB = 1000
thawedPath = $SPLUNK_DB/perfmon/thaweddb

[security]
coldPath = $SPLUNK_DB/security/colddb
homePath = $SPLUNK_DB/security/db
maxTotalDataSizeMB = 1000
thawedPath = $SPLUNK_DB/security/thaweddb

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

JDukeSplunk
Builder
‎03-02-2018 10:26 AM

Following @teunlaan advice I placed a dumbed-down copy of my indexes.conf on the search head members. This appears to have worked. Limiting sizes, bare minimum to run. 

[perfmon]
coldPath = $SPLUNK_DB/perfmon/colddb
homePath = $SPLUNK_DB/perfmon/db
maxTotalDataSizeMB = 1000
thawedPath = $SPLUNK_DB/perfmon/thaweddb

[security]
coldPath = $SPLUNK_DB/security/colddb
homePath = $SPLUNK_DB/security/db
maxTotalDataSizeMB = 1000
thawedPath = $SPLUNK_DB/security/thaweddb
0 Karma
Reply
Solved! Jump to solution

mehuls93
Engager
‎05-25-2020 06:35 AM

Did not worked for me.
Facing the same issue.
Did you updated the indexes.conf on all nodes of SH-C

0 Karma
Reply
Solved! Jump to solution

teunlaan
Contributor
‎02-14-2018 05:44 AM

" Do I now have to make a placeholder indexes with these names on the SHC for them to show up? "

Correct.
Just place a copy of you indexes.conf from the indexers in your SHC

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎02-14-2018 07:30 AM

Hi @teunlaan, not sure about that -

-- Just place a copy of you indexes.conf from the indexers in your SHC

Looking at a functioning cluster at one SH and I see -

cd /opt/splunk/etc
$ find . -name indexes.conf
./system/local/indexes.conf
./system/default/indexes.conf
./master-apps/_cluster/default/indexes.conf
./apps/<app name1>/default/indexes.conf
./apps/<app name2>/default/indexes.conf

The real indexes.conf is nowhere to be found.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...