Security

Users can't see new data source in existing index

dougsummersett
New Member

I apologize in advance but I'm new to Splunk and took over for someone else. We just added a new log file to be ingested and it does this just fine but normal users can't see the data from this new file. It is being indexed into a index that previously existed that they do have access to other files in this index. I've verified the destination index is correct and the same as the others. The user has the compliance_role assigned and the compliance_role does have this Index selected under searched by default and restricted to. As an admin I can see the data.

Any ideas on why they can't see this data?

Tags (1)
0 Karma

maciep
Champion

Not that users would (accidentally) lie but have you witnessed that they can't search the data? Maybe their time range or source or sourcetype (etc) are wrong, so they just aren't getting the results?

Are there any restricted search terms in any of the roles they belong to?

Is the user running the search from the same search head as you? If not, do they have the same settings for the role?

Can you create a test account, give it that role and see results?

0 Karma

dougsummersett
New Member

I did clone the user account and I'm also seeing the same thing from the cloned account.

When I search it doesn't appear that it tries to search. It replies back No Results Found after about a second which makes me think it's permissioning. Is there anywhere that logs searches and may provide more info?

0 Karma

maciep
Champion

you can look in the _audit and _internal indexes for that user to see if there are any errors and which searches they ran.

Does that compliance role inherit from the user role? Or another role maybe? If the users are mapped to that role and that role has access to the index, then I'm wondering if it's missing something like the search capability?

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...