Allowing a role to write to a non-standard summary...

willthames2 · ‎06-27-2012

I have created a new summary index (let's call it summary_example) so that we can use it in an app as a destination for summary indexing.

I have given the appropriate role read access to the index, but it doesn't show up in the dropdown when enabling summary indexing for a saved search. If I do it using an admin user, it does show up.

This suggests that there is either a permission I can grant to allow write access to the summary index by the role, or a capability that the role should have to allow it to write to all summary indexes (I'd prefer the former for obvious reasons)

yannK · ‎03-12-2013

The new index has to be visible to the new role :

in the manager > access control > role

verify that the index is in the list of the "searchable indexes" (not necessarily in the "indexes searches by default" list)
that the role inherit from power or has the capability "schedule_search"
- that our new index do not has CAPS or exotic characters in the name.

Other remark, if you have a distributed search and the summary index defined on the indexers (but not on the search-head), please define it also in the search-head to have it accessible in the lists (and setup your search-head to forward the events to the indexers is you want to store the results on the indexers)

spock_yh · ‎08-01-2012

Did you manage to find a solution to this issue? I've just encountered it as well

Allowing a role to write to a non-standard summary index

Changes to Splunk Instructor-Led Training Completion Criteria

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3