Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does a group not see the all of the events they should see?

RedHonda03
Explorer
‎06-14-2018 12:22 PM

We have a security group that only sees a portion of the hosts they should be seeing from specified sourcetypes. For some unknown reason, when any user of this security group is looking at Windows Events sourcetypes, many of the Hosts do not show a current "Last Update" time in the Data Summary window. However, other users that are not part of the restricted security group can see all of the Hosts and the Windows Events that being forwarded for those sourcetypes.

Any suggestions as to why users in different role or security group would not see all the associated events from the same sourcetype would be helpful.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎06-14-2018 12:38 PM

The access restriction is done at index level, (and not at host/sourcetype level), so my question is, do you have multiple indexes where this sourcetype(s) are being logged? If there are multiple indexes and your security group doesn't have access to anyone of them, then they won't be able to see data coming from that index.

0 Karma
Reply

RedHonda03
Explorer
‎06-14-2018 01:16 PM

If I'm understanding you correctly, if a sourcetype is sending information to two seperate indexes, such as index=WinEvents and index=WebEvents, and the user role is limited to only see the WinEvents index, hosts that have data sent to another index will not be displayed for the users? Example below.

Sourcetype=WinEvents:Security
Hosts = (Generic-DC1, Generic-Server1, Generic-Server2, Desktop1, Desktop2, Desktop3)

Sourcetype=WebEvents:Outbound
Hosts = (Generic-Server2, Desktop1, Desktop2, Desktop3)

For the above information, would the user role in question only see the two hosts: Generic-DC1 and Generic-Server1 since they are not permitted to see the WebEvents index?

0 Karma
Reply

somesoni2
Revered Legend
‎06-14-2018 01:37 PM

That is correct. They'll only see data being logged on index=WebEvents (all host/sourcetype from that index).

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...