Solved: What is causing an incomplete index list for role ...

jpvalenc · ‎10-03-2019

Hi All,

We recently upgraded to Splunk Enterprise vesion 7.3.1.1 and we're trying to add new roles to the instance. However, we noticed that on the index restriction section that not every index is being listed. It seems to only list the first 100 indexes.

Is this a bug for 7.3.1.1? Is there a workaround available for it?

jpvalenc · ‎11-20-2019

Just an update, we were able to open a case for it and below were the given steps for a workaround:

Please follow the workaround steps to fix the issue.

A. on every affected SH edit

Go to the next path

/opt/splunk/share/splunk/search_mrsparkle/exposed/build/pages/enterprise/

Look the file: authorization_roles.js

B. Then find the following information.

this.indexListSearchJob.getResults().subscribe((results)

C. Add the following between the parentheses.

{ count: 1000 }

so that it looks like this: 

this.indexListSearchJob.getResults({ count: 1000 }).subscribe((results)

D. Save file and hit the _bump endpoint:

https://<yourSplunk>/en-US/_bump on this point will depend if you are using secure UI add the s and if not you can log into like this 

http://<yourSplunk>/en-US/_bump

However, I couldn’t find the string stated in bullet point B [this.indexListSearchJob.getResults().subscribe((results)] but I did find a similar string which says “this.indexListSearchJob.getResults().subscribe(function(results)” and that’s where I applied the workaround. Also, I tried opening the file with a text editor and saving it leading to a bunch of invalid characters to show up. I instead used the sed command to replace the text.

Hope this helps!

View solution in original post

jpvalenc · ‎11-20-2019

Just an update, we were able to open a case for it and below were the given steps for a workaround:

Please follow the workaround steps to fix the issue.

A. on every affected SH edit

Go to the next path

/opt/splunk/share/splunk/search_mrsparkle/exposed/build/pages/enterprise/

Look the file: authorization_roles.js

B. Then find the following information.

this.indexListSearchJob.getResults().subscribe((results)

C. Add the following between the parentheses.

{ count: 1000 }

so that it looks like this: 

this.indexListSearchJob.getResults({ count: 1000 }).subscribe((results)

D. Save file and hit the _bump endpoint:

https://<yourSplunk>/en-US/_bump on this point will depend if you are using secure UI add the s and if not you can log into like this 

http://<yourSplunk>/en-US/_bump

However, I couldn’t find the string stated in bullet point B [this.indexListSearchJob.getResults().subscribe((results)] but I did find a similar string which says “this.indexListSearchJob.getResults().subscribe(function(results)” and that’s where I applied the workaround. Also, I tried opening the file with a text editor and saving it leading to a bunch of invalid characters to show up. I instead used the sed command to replace the text.

Hope this helps!

romanrj · ‎11-22-2019

That workaround does work. We tested it out this morning and will be putting it in place until we upgrade. Thanks!

romanrj · ‎11-19-2019

We opened a support case with Splunk for this issue. Apparently it is a known issue tracked with "SPL-172789 - Index Selection for roles only shows 100 indexes" and has been marked as fixed in 7.3.3. We will be upgrading to that version to correct this issue.

maciep · ‎11-14-2019

Still seems to be here in 7.3.2. Have you opened a support case by chance?

jpvalenc · ‎11-20-2019

Just posted the workaround. Sorry it took a while.

What is causing an incomplete index list for role creation?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...