Having a major issue here. Since upgrading to the latest version of Splunk, my users are no longer able to see the list of their indexes when scheduling a search to write to summary index.
Was there a new capability that was added that we need to add to the role?
Went from 6.5.2 - > 7.0.2
Clustered environment (4 SH, 6 IDX - indexes.conf only lives on indexers)
Above is an example. For me, the "Select the summary index" field shows all the indexes I can write to (i am admin role). But for my user, it is completely blank. Not even a single value.
Hrmm seems that I need to have the indexes.conf file also on my SH's ?
"You need to have your indexes.conf file (where the indexes are defined) on your search head. Alternatively, in later versions you can click "advanced" and update the search macro directly with (index=whatever)."
Subcomment under accepted answer.
So that didn't work 😞
What seems to work is the following:
* Lets a user change any index settings such as file size and memory limits.
Was this a new capability post 6.5 ?
This broke for us after upgrading to version 7.0. It was previously also required in version 5.x. Looks like they changed it back in version 7.
Similar happened to me a while back.
Try creating the index via the GUI on the search head. Worked for me. What I found in my situation is that the SHC doesn't read the indexes.conf without a restart even though I pushed from the deployer. Creating the index via the GUI seemed to be a work around (I have since, deleted the local file and restarted which worked)
Submitted this to support. looks like it might be part of a known bug. Will report back as soon as i have more info.
Known bug (now) SPL-154382:
Looks like changes to capabilities required to be able to see this list of summary indexes. The role that is scheduling the search needs to include "indexesedit" and "dispatchresttoindexers" capabilities. Once this is configured, user should see the list of summary indexes.