In my authorize.conf, I have the following stanza:
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = *_predix_*;_*;last_chance_predix
srchIndexesDefault = *_predix_*
srchMaxTime = 30d
srchJobsQuota = 15
rtSrchJobsQuota = 1
If I grant a user this role, should they not be able to see internal index given `srchIndexesAllowed = *_predix;_;last_chance_predix`
Take a look at the descriptions of these two settings in the docs https://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Authorizeconf.
Are you specifying an index in the search (index=blah | ...)? Your settings show that the indexes to search by default are the predix indexes. It does not include _internal. So you will get that error.
Hey there yes we are specifying the index _internal when we query.