Installation
Highlighted

Why can the users no longer see indexes when scheduling summary indexing after upgrading to Splunk 7.0.2?

Builder

Having a major issue here. Since upgrading to the latest version of Splunk, my users are no longer able to see the list of their indexes when scheduling a search to write to summary index.

Was there a new capability that was added that we need to add to the role?

Went from 6.5.2 - > 7.0.2

Clustered environment (4 SH, 6 IDX - indexes.conf only lives on indexers)

alt text

Above is an example. For me, the "Select the summary index" field shows all the indexes I can write to (i am admin role). But for my user, it is completely blank. Not even a single value.

Labels (1)
Highlighted

Re: Why can the users no longer see indexes when scheduling summary indexing after upgrading to Splunk 7.0.2?

Builder

Hrmm seems that I need to have the indexes.conf file also on my SH's ?

"You need to have your indexes.conf file (where the indexes are defined) on your search head. Alternatively, in later versions you can click "advanced" and update the search macro directly with (index=whatever)."

Reference: https://answers.splunk.com/answers/528891/why-is-the-enable-summary-indexing-option-no-longe.html?ut...

Subcomment under accepted answer.

0 Karma
Highlighted

Re: Why can the users no longer see indexes when scheduling summary indexing after upgrading to Splunk 7.0.2?

Builder

So that didn't work 😞

What seems to work is the following:

[capability::indexes_edit]
* Lets a user change any index settings such as file size and memory limits.

Was this a new capability post 6.5 ?

0 Karma
Highlighted

Re: Why can the users no longer see indexes when scheduling summary indexing after upgrading to Splunk 7.0.2?

Champion

This broke for us after upgrading to version 7.0. It was previously also required in version 5.x. Looks like they changed it back in version 7.

0 Karma
Highlighted

Re: Why can the users no longer see indexes when scheduling summary indexing after upgrading to Splunk 7.0.2?

Builder

Similar happened to me a while back.

Try creating the index via the GUI on the search head. Worked for me. What I found in my situation is that the SHC doesn't read the indexes.conf without a restart even though I pushed from the deployer. Creating the index via the GUI seemed to be a work around (I have since, deleted the local file and restarted which worked)

0 Karma
Highlighted

Re: Why can the users no longer see indexes when scheduling summary indexing after upgrading to Splunk 7.0.2?

Builder

Submitted this to support. looks like it might be part of a known bug. Will report back as soon as i have more info.

Highlighted

Re: Why can the users no longer see indexes when scheduling summary indexing after upgrading to Splunk 7.0.2?

Champion

Known bug (now) SPL-154382:
http://docs.splunk.com/Documentation/Splunk/7.0.4/ReleaseNotes/Knownissues

Looks like changes to capabilities required to be able to see this list of summary indexes. The role that is scheduling the search needs to include "indexesedit" and "dispatchresttoindexers" capabilities. Once this is configured, user should see the list of summary indexes.

View solution in original post

0 Karma