Using Splunk 4.1.3, is there any combination of user role capabilities & indexes that will allow a user who doesn't have the admin role to be able to see the indexing_volume view? This is the view you see here:
Splunk Search App -> Status -> Index Activity -> Indexing Volume.
As a user with the stock user role, or the stock power role, a 404 page not found is received, with the Splunk specific error:
Splunk cannot find the "indexing_volume" view.
Thanks.
Make sure you grant the appropriate role read permissions via the Manager: Splunk -> Search App -> Manager -> User Interface -> Views -> indexing_volume -> Permissions.
You may have to do the same for several dependent views: search_status, index_status, splunkd_status, splunkweb_status, inputs_status, scheduler_status, scheduler_user_app, scheduler_savedsearch, pdf_activity
Also keep in mind that this view pulls from the _internal index, so make sure that you grant access to the _internal index to the appropriate role: Splunk -> Search App -> Manager -> Access Controls -> Roles -> Role Name -> add _internal index
For info, I've found a way to avoid giving access to _internal to the user.
It is probably possible to run a scheduled search on the _internal index and save the result in a summary accessible by the user.
I've found another way using metadata available to the users with "|dbinspect". You require 2 searches, one which is scheduled and saves at regular intervals (like every hour) the "|dbinspect" output. Another one which computes the growth of the buckets and doesn't take into account buckets which are removed.
source="First_scheduled_search_name" | eval MB = rawSize / 1024 / 1024 | sort +id +_time | streamstats current=f window=1 global=f first(rawSize) as prevRawSize | streamstats current=f window=1 global=f first(id) as prevId | eval diff=if(id == prevId, (rawSize - prevRawSize) / 1024 / 1024, "NOK") | timechart span=1d sum(diff) AS MB_indexed
Make sure you grant the appropriate role read permissions via the Manager: Splunk -> Search App -> Manager -> User Interface -> Views -> indexing_volume -> Permissions.
You may have to do the same for several dependent views: search_status, index_status, splunkd_status, splunkweb_status, inputs_status, scheduler_status, scheduler_user_app, scheduler_savedsearch, pdf_activity
Also keep in mind that this view pulls from the _internal index, so make sure that you grant access to the _internal index to the appropriate role: Splunk -> Search App -> Manager -> Access Controls -> Roles -> Role Name -> add _internal index
It looks like there may be a bug with Splunk 4.1.3. After setting all of the items mentioned above, a 500 server error results and a HTTP stacktrace is thrown and captured in the logs. Opened a case on this, as stack traces shouldn't be standard with every request.
@nick correct! We had worked through this in IRC - Let me edit my answer and add this piece.
Note that you may also need to change the permissions on who can see index=_internal data. This may be a bigger deal -- for one thing since the search history is sprinkled through that index.