We would like to find out who has access to a certain index. How can we do that?
To find roles that access index 'foo', look for srchIndexesAllowed = foo
or srchIndexesAllowed = *
in your authorize.conf files. Btool can help.
splunk btool --debug authorize list | grep 'srchIndexesAllowed\s*=.*(\*|foo)'
To find roles that access index 'foo', look for srchIndexesAllowed = foo
or srchIndexesAllowed = *
in your authorize.conf files. Btool can help.
splunk btool --debug authorize list | grep 'srchIndexesAllowed\s*=.*(\*|foo)'