Deployment Architecture

Why is the search index=_internal from a search head as an admin user not returning any events?

Path Finder

In my distributed environment, when I execute a search index=_internal from the search head, I don't get any results back. When I log into an indexer directly and perform the same search, the expected results are returned. I can see from the "Indexes" pages that there are definitely events in the _internal index on each indexer, but I don't seem to be able to access them from the search head. I'm not really sure where to start to track down the issue with this. I only see the issue occur with internal (underscore) indexes, non-internal indexes work just fine from the search head. I suspect this is something simple that I am over looking.


0 Karma


What is the user/role capabilities you have? See if admin has allowed you to access internal indexes.

Settings>Access controls>Roles and looks for allowed indexes

Also look what role your user id is associated to.

Hope this helps,

0 Karma

Path Finder

Sorry, i meant to include that as part of the question. I have tried it both as 'admin' and a user mapped to the admin role. The admin role has "allowed indexes" set to "All Internal Indexes" and "All Non-internal Indexes". There aren't any additional restrictions set for the role.

0 Karma

Path Finder

It seems to have been an inheritance problem from another role. I created a new role with all indexes and all capabilities and no inheritance and it works now. I'll keep digging into the specific culprit.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...