Security

Splunk 9.0 issue: Why is there an issue with assigning an index to a role?

matt8679
Path Finder

Prior to upgrading to Splunk Enterprise 9.0 (we were on 8.2.6), when creating or editing a role, the indexes tab had a full list of our indexes. After the upgrade, existing roles still show the checked indexes, but are missing the other available indexes. When creating a new role almost all indexes are missing from the list.

We are running a SHC and Index cluster.

I have seen this issue in the past, and we had to deploy a list of our indexes to our SHC. Other possible fix is to allow (All non-internal indexes) and add Restrictions.

Anyone else have this issue or know of a fix?

Labels (2)
0 Karma
1 Solution

matt8679
Path Finder

I ended up creating an indexes.conf and deploying to the SHC. This fixed my issue and allowed me to assign indexes to roles again. Maybe this issue is just a bug in Splunk 9.0.

View solution in original post

0 Karma

daniel_splunk
Splunk Employee
Splunk Employee

You can add the following to your search head to solve the issue.

server.conf

[introspection:distributed-indexes]
disabled = false

0 Karma

bsanch25
Engager

I had the same issue while upgrading from 8.2.7 to 9.0.2. I opened a case with Support and they provided me with a fix. Deploy the following config entry to your search heads:

server.conf

[introspection:distributed-indexes]
disabled = false

 

Tags (1)
0 Karma

matt8679
Path Finder

I ended up creating an indexes.conf and deploying to the SHC. This fixed my issue and allowed me to assign indexes to roles again. Maybe this issue is just a bug in Splunk 9.0.

0 Karma

patelmc19
Loves-to-Learn

so, you copied indexes.conf from indexer cluster or indexer cluster manager to SH deployer and deployed to SHC members?

I have installed splunk 9.0.3 brand new environment. (not upgrade)

can you please show me examples for indexes.conf from SH and index.

I copied entire stanza from indexer cluster server and applied on SH cluster member under system/local dir but it did failed to start splunk and it did not find volumes.  I am using suc volumes in indexer servers only and I do not have on SH. 

[xxx]
repFactor = auto
coldPath = volume:cold/xxx/colddb
homePath = volume:hot/xxx/db
thawedPath = $SPLUNK_DB/xxx/thaweddb
quarantineFutureSecs = 86500
quarantinePastSecs = 86500
maxHotSpanSecs = 86500
maxDataSize = auto
frozenTimePeriodInSecs = 2678400

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

i think that best practices for defining user’s access to indexes in SHC (and other SHs) is use separate app with authorize.conf. That way it’s much easier to understand what capabilities and indexes each roles contains. Using only GUI that’s almost mission impossible without separate app to resolve those on runtime.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...