Solved: Non-admin users being able to see indexing volume ...

dpaper · ‎01-26-2011

Using Splunk 4.1.3, is there any combination of user role capabilities & indexes that will allow a user who doesn't have the admin role to be able to see the indexing_volume view? This is the view you see here:

Splunk Search App -> Status -> Index Activity -> Indexing Volume.

As a user with the stock user role, or the stock power role, a 404 page not found is received, with the Splunk specific error:

Splunk cannot find the "indexing_volume" view.

Thanks.

ftk · ‎01-26-2011

Make sure you grant the appropriate role read permissions via the Manager: Splunk -> Search App -> Manager -> User Interface -> Views -> indexing_volume -> Permissions.

You may have to do the same for several dependent views: search_status, index_status, splunkd_status, splunkweb_status, inputs_status, scheduler_status, scheduler_user_app, scheduler_savedsearch, pdf_activity

Also keep in mind that this view pulls from the _internal index, so make sure that you grant access to the _internal index to the appropriate role: Splunk -> Search App -> Manager -> Access Controls -> Roles -> Role Name -> add _internal index

View solution in original post

yoho · ‎12-04-2013

For info, I've found a way to avoid giving access to _internal to the user.

It is probably possible to run a scheduled search on the _internal index and save the result in a summary accessible by the user.

I've found another way using metadata available to the users with "|dbinspect". You require 2 searches, one which is scheduled and saves at regular intervals (like every hour) the "|dbinspect" output. Another one which computes the growth of the buckets and doesn't take into account buckets which are removed.

source="First_scheduled_search_name" | eval MB = rawSize / 1024 / 1024 | sort +id +_time | streamstats current=f window=1 global=f first(rawSize) as prevRawSize | streamstats current=f window=1 global=f first(id) as prevId  | eval diff=if(id == prevId, (rawSize - prevRawSize) / 1024 / 1024, "NOK") | timechart span=1d sum(diff) AS MB_indexed

ftk · ‎01-26-2011

Make sure you grant the appropriate role read permissions via the Manager: Splunk -> Search App -> Manager -> User Interface -> Views -> indexing_volume -> Permissions.

You may have to do the same for several dependent views: search_status, index_status, splunkd_status, splunkweb_status, inputs_status, scheduler_status, scheduler_user_app, scheduler_savedsearch, pdf_activity

Also keep in mind that this view pulls from the _internal index, so make sure that you grant access to the _internal index to the appropriate role: Splunk -> Search App -> Manager -> Access Controls -> Roles -> Role Name -> add _internal index

dpaper · ‎01-26-2011

It looks like there may be a bug with Splunk 4.1.3. After setting all of the items mentioned above, a 500 server error results and a HTTP stacktrace is thrown and captured in the logs. Opened a case on this, as stack traces shouldn't be standard with every request.

ftk · ‎01-26-2011

@nick correct! We had worked through this in IRC - Let me edit my answer and add this piece.

sideview · ‎01-26-2011

Note that you may also need to change the permissions on who can see index=_internal data. This may be a bigger deal -- for one thing since the search history is sprinkled through that index.

Non-admin users being able to see indexing volume view?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor