Security

Non-admin users being able to see indexing volume view?

dpaper
Explorer

Using Splunk 4.1.3, is there any combination of user role capabilities & indexes that will allow a user who doesn't have the admin role to be able to see the indexing_volume view? This is the view you see here:

Splunk Search App -> Status -> Index Activity -> Indexing Volume.

As a user with the stock user role, or the stock power role, a 404 page not found is received, with the Splunk specific error:

Splunk cannot find the "indexing_volume" view.

Thanks.

Tags (3)
1 Solution

ftk
Motivator

Make sure you grant the appropriate role read permissions via the Manager: Splunk -> Search App -> Manager -> User Interface -> Views -> indexing_volume -> Permissions.

You may have to do the same for several dependent views: search_status, index_status, splunkd_status, splunkweb_status, inputs_status, scheduler_status, scheduler_user_app, scheduler_savedsearch, pdf_activity

Also keep in mind that this view pulls from the _internal index, so make sure that you grant access to the _internal index to the appropriate role: Splunk -> Search App -> Manager -> Access Controls -> Roles -> Role Name -> add _internal index

View solution in original post

yoho
Contributor

For info, I've found a way to avoid giving access to _internal to the user.

It is probably possible to run a scheduled search on the _internal index and save the result in a summary accessible by the user.

I've found another way using metadata available to the users with "|dbinspect". You require 2 searches, one which is scheduled and saves at regular intervals (like every hour) the "|dbinspect" output. Another one which computes the growth of the buckets and doesn't take into account buckets which are removed.

source="First_scheduled_search_name" | eval MB = rawSize / 1024 / 1024 | sort +id +_time | streamstats current=f window=1 global=f first(rawSize) as prevRawSize | streamstats current=f window=1 global=f first(id) as prevId  | eval diff=if(id == prevId, (rawSize - prevRawSize) / 1024 / 1024, "NOK") | timechart span=1d sum(diff) AS MB_indexed
0 Karma

ftk
Motivator

Make sure you grant the appropriate role read permissions via the Manager: Splunk -> Search App -> Manager -> User Interface -> Views -> indexing_volume -> Permissions.

You may have to do the same for several dependent views: search_status, index_status, splunkd_status, splunkweb_status, inputs_status, scheduler_status, scheduler_user_app, scheduler_savedsearch, pdf_activity

Also keep in mind that this view pulls from the _internal index, so make sure that you grant access to the _internal index to the appropriate role: Splunk -> Search App -> Manager -> Access Controls -> Roles -> Role Name -> add _internal index

dpaper
Explorer

It looks like there may be a bug with Splunk 4.1.3. After setting all of the items mentioned above, a 500 server error results and a HTTP stacktrace is thrown and captured in the logs. Opened a case on this, as stack traces shouldn't be standard with every request.

0 Karma

ftk
Motivator

@nick correct! We had worked through this in IRC - Let me edit my answer and add this piece.

0 Karma

sideview
SplunkTrust
SplunkTrust

Note that you may also need to change the permissions on who can see index=_internal data. This may be a bigger deal -- for one thing since the search history is sprinkled through that index.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...