Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can we add more than 50 indexes to one role in Splunk?

sarahafrin
Explorer
‎10-30-2017 02:22 AM

How can we add more than 50 indexes to one role in Splunk? I have a role for which the users in this role should be able to search 87 indexes. I have added the names of all 87 indexes in the following fields in my local authorize.conf in the deployer and pushed the config to search heads:
srchIndexesAllowed and srchIndexesDefault. However, I can see on my Splunk UI that a total of 50 indexes were only added to the role. Where can i redefine this limit, if possible?

0 Karma
Reply

koshyk
Super Champion
‎10-30-2017 02:37 AM

may be I don't know your environment, but few questions
- why more than 50 individual indexes to your role? Don't you have a naming convention for your indexes? You could just use wildcards like srchIndexesAllowed = my_web_*;my_os_* . Naming convention is a must in large environments
- Its bad practice to add so many indexes to a single role. Allocate granular roles with permissions and import those roles into a parent role. eg: team_lead_os should import from windows_only and nix_only roles etc. Each child role should have stricter indexes listed.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...