I have created three new indexes (to be used as summary indexes for someone's saved searches.)
When I (as a member of the Admin role in Splunk) go to create a new Saved Search, I am able to select these new indexes from the "Select the summary index" drop-down list.
When the user that I created these indexes for attempts to select a summary index, their only option is the default summary index "summary."
This user is a member of a role with srchIndexesAllowed = *
I know srchIndexesAllowedis a read permission. How do I set a write permission for the role on these new summary indexes so they can select them to be used in their saved searches?
This just came up for me. Apparently the user has to have the "indexes_edit" capability.
That's not so great. Indexes don't have permissions like other objects at this point. Perhaps they should? Read instead of adding read access at the role level? Write to allow collect to function, and therefore summary indexing?
The confusing thing would be that this setting simply couldn't apply at index time, since events don't have permissions when they arrive at the indexers.
When I look at the role in the web GUI (Manager » Access controls » Roles), the very last item is titled "Indexes" and provides a list of "available indexes" which lists all of the indexes from which we can select indexes available to the role. The "Selected search indexes" for this role is "All non-internal indexes" - this is because in authorize.conf, we have specified the role has srchIndexesAllowed=*.
Check the allowed indexes for the role; it's the last item in the role configuration. Do the new summary indexes appear in the list as allowed for this role? If not, then the user will not be able to "see" the indexes, much less write to them, regardless of their permissions.