Security

Splunk 9.0 issue: Why is there an issue with assigning an index to a role?

matt8679
Path Finder

Prior to upgrading to Splunk Enterprise 9.0 (we were on 8.2.6), when creating or editing a role, the indexes tab had a full list of our indexes. After the upgrade, existing roles still show the checked indexes, but are missing the other available indexes. When creating a new role almost all indexes are missing from the list.

We are running a SHC and Index cluster.

I have seen this issue in the past, and we had to deploy a list of our indexes to our SHC. Other possible fix is to allow (All non-internal indexes) and add Restrictions.

Anyone else have this issue or know of a fix?

Labels (2)
0 Karma
1 Solution

matt8679
Path Finder

I ended up creating an indexes.conf and deploying to the SHC. This fixed my issue and allowed me to assign indexes to roles again. Maybe this issue is just a bug in Splunk 9.0.

View solution in original post

0 Karma

daniel_splunk
Splunk Employee
Splunk Employee

You can add the following to your search head to solve the issue.

server.conf

[introspection:distributed-indexes]
disabled = false

0 Karma

bsanch25
Engager

I had the same issue while upgrading from 8.2.7 to 9.0.2. I opened a case with Support and they provided me with a fix. Deploy the following config entry to your search heads:

server.conf

[introspection:distributed-indexes]
disabled = false

 

Tags (1)
0 Karma

matt8679
Path Finder

I ended up creating an indexes.conf and deploying to the SHC. This fixed my issue and allowed me to assign indexes to roles again. Maybe this issue is just a bug in Splunk 9.0.

0 Karma

patelmc19
Loves-to-Learn

so, you copied indexes.conf from indexer cluster or indexer cluster manager to SH deployer and deployed to SHC members?

I have installed splunk 9.0.3 brand new environment. (not upgrade)

can you please show me examples for indexes.conf from SH and index.

I copied entire stanza from indexer cluster server and applied on SH cluster member under system/local dir but it did failed to start splunk and it did not find volumes.  I am using suc volumes in indexer servers only and I do not have on SH. 

[xxx]
repFactor = auto
coldPath = volume:cold/xxx/colddb
homePath = volume:hot/xxx/db
thawedPath = $SPLUNK_DB/xxx/thaweddb
quarantineFutureSecs = 86500
quarantinePastSecs = 86500
maxHotSpanSecs = 86500
maxDataSize = auto
frozenTimePeriodInSecs = 2678400

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

i think that best practices for defining user’s access to indexes in SHC (and other SHs) is use separate app with authorize.conf. That way it’s much easier to understand what capabilities and indexes each roles contains. Using only GUI that’s almost mission impossible without separate app to resolve those on runtime.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...