Knowledge Management

Allowing a role to write to a non-standard summary index

Path Finder

I have created a new summary index (let's call it summary_example) so that we can use it in an app as a destination for summary indexing.

I have given the appropriate role read access to the index, but it doesn't show up in the dropdown when enabling summary indexing for a saved search. If I do it using an admin user, it does show up.

This suggests that there is either a permission I can grant to allow write access to the summary index by the role, or a capability that the role should have to allow it to write to all summary indexes (I'd prefer the former for obvious reasons)

Splunk Employee
Splunk Employee

The new index has to be visible to the new role :

in the manager > access control > role

  • verify that the index is in the list of the "searchable indexes" (not necessarily in the "indexes searches by default" list)
  • that the role inherit from power or has the capability "schedule_search"
    • that our new index do not has CAPS or exotic characters in the name.

Other remark, if you have a distributed search and the summary index defined on the indexers (but not on the search-head), please define it also in the search-head to have it accessible in the lists (and setup your search-head to forward the events to the indexers is you want to store the results on the indexers)

0 Karma

Path Finder

Did you manage to find a solution to this issue? I've just encountered it as well

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>