Not able to search index=_internal from searchead

eburnett · ‎05-03-2021

I'm trying to do a search against index=_internal but I do not see this index on my searchhead.

I do see it when I do a search from the indexers.

Any suggestions where I should look first to fix this?

gcusello · ‎05-03-2021

at first sight the problem seems to be the one indicated by @s2_splunk.

In addition, you could check if you're sending internal logs from all your Splunk servers to the Indexer (this is a best practice for distributed architectures).

You can do this forwarding logs from all your Splunk Servers (also Search Heads) to the Indexer [Settings -- Forwardring and Receiving -- Forward].

Ciao.

Giuseppe

s2_splunk · ‎05-03-2021

Sounds like your user role doesn't have permission to look at internal indices?

eburnett · ‎05-10-2021

So I tried to do this search with admin account and you are correct I can see results from this search then. index=_internal*

So Do I need to change permissions somewhere to see these with a user account?

s2_splunk · ‎05-12-2021

Yes, you will need to provide access to indices as needed by role (not user). Please review docs how to go about it.

Not able to search index=_internal from searchead

index

indexer

universal forwarder

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...