Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Users can't see new data source in existing in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Users can't see new data source in existing index
I apologize in advance but I'm new to Splunk and took over for someone else. We just added a new log file to be ingested and it does this just fine but normal users can't see the data from this new file. It is being indexed into a index that previously existed that they do have access to other files in this index. I've verified the destination index is correct and the same as the others. The user has the compliance_role assigned and the compliance_role does have this Index selected under searched by default and restricted to. As an admin I can see the data.
Any ideas on why they can't see this data?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not that users would (accidentally) lie but have you witnessed that they can't search the data? Maybe their time range or source or sourcetype (etc) are wrong, so they just aren't getting the results?
Are there any restricted search terms in any of the roles they belong to?
Is the user running the search from the same search head as you? If not, do they have the same settings for the role?
Can you create a test account, give it that role and see results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did clone the user account and I'm also seeing the same thing from the cloned account.
When I search it doesn't appear that it tries to search. It replies back No Results Found after about a second which makes me think it's permissioning. Is there anywhere that logs searches and may provide more info?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you can look in the _audit and _internal indexes for that user to see if there are any errors and which searches they ran.
Does that compliance role inherit from the user role? Or another role maybe? If the users are mapped to that role and that role has access to the index, then I'm wondering if it's missing something like the search capability?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
