Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can the users no longer see indexes when scheduling summary indexing after upgrading to Splunk 7.0.2?

paimonsoror
Builder
‎02-22-2018 10:38 AM

Having a major issue here. Since upgrading to the latest version of Splunk, my users are no longer able to see the list of their indexes when scheduling a search to write to summary index.

Was there a new capability that was added that we need to add to the role?

Went from 6.5.2 - > 7.0.2

Clustered environment (4 SH, 6 IDX - indexes.conf only lives on indexers)

alt text

Above is an example. For me, the "Select the summary index" field shows all the indexes I can write to (i am admin role). But for my user, it is completely blank. Not even a single value.

Labels (1)
Labels
Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎06-28-2018 11:35 AM

Known bug (now) SPL-154382:
http://docs.splunk.com/Documentation/Splunk/7.0.4/ReleaseNotes/Knownissues

Looks like changes to capabilities required to be able to see this list of summary indexes. The role that is scheduling the search needs to include "indexes_edit" and "dispatch_rest_to_indexers" capabilities. Once this is configured, user should see the list of summary indexes.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎06-28-2018 11:35 AM

Known bug (now) SPL-154382:
http://docs.splunk.com/Documentation/Splunk/7.0.4/ReleaseNotes/Knownissues

Looks like changes to capabilities required to be able to see this list of summary indexes. The role that is scheduling the search needs to include "indexes_edit" and "dispatch_rest_to_indexers" capabilities. Once this is configured, user should see the list of summary indexes.

0 Karma
Reply
Solved! Jump to solution

paimonsoror
Builder
‎03-01-2018 01:04 PM

Submitted this to support. looks like it might be part of a known bug. Will report back as soon as i have more info.

Reply
Solved! Jump to solution

daniel333
Builder
‎02-26-2018 09:05 AM

Similar happened to me a while back.

Try creating the index via the GUI on the search head. Worked for me. What I found in my situation is that the SHC doesn't read the indexes.conf without a restart even though I pushed from the deployer. Creating the index via the GUI seemed to be a work around (I have since, deleted the local file and restarted which worked)

0 Karma
Reply
Solved! Jump to solution

paimonsoror
Builder
‎02-22-2018 11:01 AM

Hrmm seems that I need to have the indexes.conf file also on my SH's ?

"You need to have your indexes.conf file (where the indexes are defined) on your search head. Alternatively, in later versions you can click "advanced" and update the search macro directly with (index=whatever)."

Reference: https://answers.splunk.com/answers/528891/why-is-the-enable-summary-indexing-option-no-longe.html?ut...

Subcomment under accepted answer.

0 Karma
Reply
Solved! Jump to solution

paimonsoror
Builder
‎02-22-2018 11:11 AM

So that didn't work 😞

What seems to work is the following:

[capability::indexes_edit]
* Lets a user change any index settings such as file size and memory limits.

Was this a new capability post 6.5 ?

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎06-28-2018 11:37 AM

This broke for us after upgrading to version 7.0. It was previously also required in version 5.x. Looks like they changed it back in version 7.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...