I have index1, index2, and index 3. I want role_user to have access to all three within a specific app. Is there a way to do this?
In $SPLUNK_HOME/etc/system/local my authorize.conf has
srchIndexesDefault: index1;index2
srchIndexesAllowed: index1;index2
In $SPLUNK_HOME/etc/apps/myApp/local my authorize.conf has
srchIndexesDefault: index1;index2;index3
srchIndexesAllowed: index1;index2;index3
Of course, this doesn't work. I understand /system/local wins this conflicting parameter fight. Is there anyway to grant the user role access to index3 within myApp? Or would I have to create a different role that inherits role_user and adds index3 access to achieve this?
Thanks in advance.
Access to indexes is by role only, not by app.
Access to indexes is by role only, not by app.
Darn. Thanks for the concise response!