I am monitoring Linux hosts (I've installed Splunk Add-on for *Nix....).
When I run the search
sourcetype="linux_audit" in "Search and Report" app for last 6 months as USER1, I get zero results. However, the same search in the same time window with admin user gives about 183.445 events!!!? How is it possible?
Thanks for support
you have to verify two points in the role assigned to USER1:
To verify roles you have to go in [Settings -- Access Controls -- Roles]
Thanks a lot Giuseppe, I solved putting into USER1's role all internal indexes, that was missed in the role, but present in the admin's role.
How can I know in which index "linux_audit" sourcetype is inserted? I did not any conscious configuration at this level....
to know in which indexes are ingested events with sourcetype=linux_audit you have to run a search like this:
| metasearch index=* sourcetype=linux_audit | dedup index | table index