Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Splunk 9.0 issue: Why is there an issue with assig...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Prior to upgrading to Splunk Enterprise 9.0 (we were on 8.2.6), when creating or editing a role, the indexes tab had a full list of our indexes. After the upgrade, existing roles still show the checked indexes, but are missing the other available indexes. When creating a new role almost all indexes are missing from the list.
We are running a SHC and Index cluster.
I have seen this issue in the past, and we had to deploy a list of our indexes to our SHC. Other possible fix is to allow (All non-internal indexes) and add Restrictions.
Anyone else have this issue or know of a fix?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up creating an indexes.conf and deploying to the SHC. This fixed my issue and allowed me to assign indexes to roles again. Maybe this issue is just a bug in Splunk 9.0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can add the following to your search head to solve the issue.
server.conf
[introspection:distributed-indexes]
disabled = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the same issue while upgrading from 8.2.7 to 9.0.2. I opened a case with Support and they provided me with a fix. Deploy the following config entry to your search heads:
server.conf
[introspection:distributed-indexes]
disabled = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up creating an indexes.conf and deploying to the SHC. This fixed my issue and allowed me to assign indexes to roles again. Maybe this issue is just a bug in Splunk 9.0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so, you copied indexes.conf from indexer cluster or indexer cluster manager to SH deployer and deployed to SHC members?
I have installed splunk 9.0.3 brand new environment. (not upgrade)
can you please show me examples for indexes.conf from SH and index.
I copied entire stanza from indexer cluster server and applied on SH cluster member under system/local dir but it did failed to start splunk and it did not find volumes. I am using suc volumes in indexer servers only and I do not have on SH.
[xxx]
repFactor = auto
coldPath = volume:cold/xxx/colddb
homePath = volume:hot/xxx/db
thawedPath = $SPLUNK_DB/xxx/thaweddb
quarantineFutureSecs = 86500
quarantinePastSecs = 86500
maxHotSpanSecs = 86500
maxDataSize = auto
frozenTimePeriodInSecs = 2678400
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
i think that best practices for defining user’s access to indexes in SHC (and other SHs) is use separate app with authorize.conf. That way it’s much easier to understand what capabilities and indexes each roles contains. Using only GUI that’s almost mission impossible without separate app to resolve those on runtime.
r. Ismo
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
