Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk 9.0 issue: Why is there an issue with assigning an index to a role?

matt8679
Path Finder
‎08-04-2022 09:05 AM

Prior to upgrading to Splunk Enterprise 9.0 (we were on 8.2.6), when creating or editing a role, the indexes tab had a full list of our indexes. After the upgrade, existing roles still show the checked indexes, but are missing the other available indexes. When creating a new role almost all indexes are missing from the list.

We are running a SHC and Index cluster.

I have seen this issue in the past, and we had to deploy a list of our indexes to our SHC. Other possible fix is to allow (All non-internal indexes) and add Restrictions.

Anyone else have this issue or know of a fix?

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

matt8679
Path Finder
‎08-04-2022 01:09 PM

I ended up creating an indexes.conf and deploying to the SHC. This fixed my issue and allowed me to assign indexes to roles again. Maybe this issue is just a bug in Splunk 9.0.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

daniel_splunk
Splunk Employee
Splunk Employee
‎02-26-2023 06:20 PM

You can add the following to your search head to solve the issue.

server.conf

[introspection:distributed-indexes]
disabled = false

Reply
Solved! Jump to solution

bsanch25
Explorer
‎02-26-2023 09:03 AM

I had the same issue while upgrading from 8.2.7 to 9.0.2. I opened a case with Support and they provided me with a fix. Deploy the following config entry to your search heads:

server.conf

[introspection:distributed-indexes]
disabled = false

 

Tags (1)
Reply
Solved! Jump to solution
Solution

matt8679
Path Finder
‎08-04-2022 01:09 PM

I ended up creating an indexes.conf and deploying to the SHC. This fixed my issue and allowed me to assign indexes to roles again. Maybe this issue is just a bug in Splunk 9.0.

0 Karma
Reply
Solved! Jump to solution

patelmc19
Loves-to-Learn
‎02-13-2023 02:37 PM

so, you copied indexes.conf from indexer cluster or indexer cluster manager to SH deployer and deployed to SHC members?

I have installed splunk 9.0.3 brand new environment. (not upgrade)

can you please show me examples for indexes.conf from SH and index.

I copied entire stanza from indexer cluster server and applied on SH cluster member under system/local dir but it did failed to start splunk and it did not find volumes.  I am using suc volumes in indexer servers only and I do not have on SH. 

[xxx]
repFactor = auto
coldPath = volume:cold/xxx/colddb
homePath = volume:hot/xxx/db
thawedPath = $SPLUNK_DB/xxx/thaweddb
quarantineFutureSecs = 86500
quarantinePastSecs = 86500
maxHotSpanSecs = 86500
maxDataSize = auto
frozenTimePeriodInSecs = 2678400

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-04-2022 09:58 AM

Hi

i think that best practices for defining user’s access to indexes in SHC (and other SHs) is use separate app with authorize.conf. That way it’s much easier to understand what capabilities and indexes each roles contains. Using only GUI that’s almost mission impossible without separate app to resolve those on runtime.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...