Security

What is causing an incomplete index list for role creation?

Explorer

Hi All,

We recently upgraded to Splunk Enterprise vesion 7.3.1.1 and we're trying to add new roles to the instance. However, we noticed that on the index restriction section that not every index is being listed. It seems to only list the first 100 indexes.

Is this a bug for 7.3.1.1? Is there a workaround available for it?

1 Solution

Explorer

Just an update, we were able to open a case for it and below were the given steps for a workaround:

Please follow the workaround steps to fix the issue.

A. on every affected SH edit

Go to the next path

/opt/splunk/share/splunk/search_mrsparkle/exposed/build/pages/enterprise/

Look the file: authorization_roles.js

B. Then find the following information.

this.indexListSearchJob.getResults().subscribe((results)

C. Add the following between the parentheses.

{ count: 1000 }

so that it looks like this: 

this.indexListSearchJob.getResults({ count: 1000 }).subscribe((results)

D. Save file and hit the _bump endpoint:

https://<yourSplunk>/en-US/_bump on this point will depend if you are using secure UI add the s and if not you can log into like this 

http://<yourSplunk>/en-US/_bump

However, I couldn’t find the string stated in bullet point B [this.indexListSearchJob.getResults().subscribe((results)] but I did find a similar string which says “this.indexListSearchJob.getResults().subscribe(function(results)” and that’s where I applied the workaround. Also, I tried opening the file with a text editor and saving it leading to a bunch of invalid characters to show up. I instead used the sed command to replace the text.

Hope this helps!

View solution in original post

Explorer

Just an update, we were able to open a case for it and below were the given steps for a workaround:

Please follow the workaround steps to fix the issue.

A. on every affected SH edit

Go to the next path

/opt/splunk/share/splunk/search_mrsparkle/exposed/build/pages/enterprise/

Look the file: authorization_roles.js

B. Then find the following information.

this.indexListSearchJob.getResults().subscribe((results)

C. Add the following between the parentheses.

{ count: 1000 }

so that it looks like this: 

this.indexListSearchJob.getResults({ count: 1000 }).subscribe((results)

D. Save file and hit the _bump endpoint:

https://<yourSplunk>/en-US/_bump on this point will depend if you are using secure UI add the s and if not you can log into like this 

http://<yourSplunk>/en-US/_bump

However, I couldn’t find the string stated in bullet point B [this.indexListSearchJob.getResults().subscribe((results)] but I did find a similar string which says “this.indexListSearchJob.getResults().subscribe(function(results)” and that’s where I applied the workaround. Also, I tried opening the file with a text editor and saving it leading to a bunch of invalid characters to show up. I instead used the sed command to replace the text.

Hope this helps!

View solution in original post

Engager

That workaround does work. We tested it out this morning and will be putting it in place until we upgrade. Thanks!

0 Karma

Engager

We opened a support case with Splunk for this issue. Apparently it is a known issue tracked with "SPL-172789 - Index Selection for roles only shows 100 indexes" and has been marked as fixed in 7.3.3. We will be upgrading to that version to correct this issue.

Champion

Still seems to be here in 7.3.2. Have you opened a support case by chance?

0 Karma

Explorer

Just posted the workaround. Sorry it took a while.

0 Karma