How can we add more than 50 indexes to one role in Splunk?


How can we add more than 50 indexes to one role in Splunk? I have a role for which the users in this role should be able to search 87 indexes. I have added the names of all 87 indexes in the following fields in my local authorize.conf in the deployer and pushed the config to search heads:
srchIndexesAllowed and srchIndexesDefault. However, I can see on my Splunk UI that a total of 50 indexes were only added to the role. Where can i redefine this limit, if possible?

0 Karma

Super Champion

may be I don't know your environment, but few questions
- why more than 50 individual indexes to your role? Don't you have a naming convention for your indexes? You could just use wildcards like srchIndexesAllowed = my_web_*;my_os_* . Naming convention is a must in large environments
- Its bad practice to add so many indexes to a single role. Allocate granular roles with permissions and import those roles into a parent role. eg: team_lead_os should import from windows_only and nix_only roles etc. Each child role should have stricter indexes listed.

0 Karma