Security

Why are only some indexes listed in the available indexes pane under roles?

lycollicott
Motivator

Only a fraction of our indexes are listed as available and there is nothing listed under selected. For example:

alt text

The index definitely exists and I can search it, so why is it missing on the Roles screen?

1 Solution

lycollicott
Motivator

This is a bug in 7.0.

Support gave me a workaround by editing etc/apps/search/default/data/ui/manager/authentication_roles.xml.

Here is the revised file, but you should always check with support before dropping in xml from strange Splunkers on the internet. Remember that.

link text

View solution in original post

rchudzinski
Engager

The problem still exists in 7.2. I encountered it with the recent upgrade . The cause is as loatswil describes. The searchheads don't see the indexes on the index cluster when populating the UI.

The workaround given by support is to create 'dummie' indexes with the same names as the missing ones on the searchhead. This will populate the list.

Not very elegant but that is a workaround until they patch it.

0 Karma

lycollicott
Motivator

It's resolved in 7.2.1

0 Karma

lycollicott
Motivator

This is a bug in 7.0.

Support gave me a workaround by editing etc/apps/search/default/data/ui/manager/authentication_roles.xml.

Here is the revised file, but you should always check with support before dropping in xml from strange Splunkers on the internet. Remember that.

link text

lycollicott
Motivator

UPDATE:
This bug was resolved in 7.2.1

0 Karma

cboillot
Contributor

Does this have to go into the default directory? Or will with work in the local directory?

0 Karma

lycollicott
Motivator

@cboillot id had to be in default.

This was resolved in version 7.2.1.

0 Karma

cboillot
Contributor

Thanks.

It's going to be a few months, if not near the end of the year, before we can upgrade.

0 Karma

elewis1
Explorer

That fix is extremely inefficient for large sites. The 7.0 call to data/indexes appears to specify "splunk_server=local". Adding the stanza Support provided with a |rest call without the "local" works quickly.

<key name="keyName">entry.properties.get('index', 'index key not found')</key>
 <key name="keyValue">entry.properties.get('index', 'index key not found')</key>
 <key name="splunkSource">/search/jobs/oneshot</key>
 <key name="splunkSourceParams" type="dict">
   <key name="output_mode">"atom"</key>
   <key name="count">"1000"</key>
   <key name="search">"|rest /services/data/indexes |stats values(title) as index |mvexpand index"</key>
   </key>
0 Karma

somesoni2
Revered Legend

When you search, you can see all the indexes that are available in your Indexers (which have data of course). But, on search heads, in the Splunk setting pages such as Access Control pages (edit/add users or roles), dropdown where summary indexing is enabled and data input pages, you'd only see indexes that are available on Search heads (indexes.conf available on Search heads). This is the reason you wouldn't see other indexes which are only available on Indexers. The right panel may be empty as the selected indexes for that role doesn't exist on SH.

You can see the indexes available on SH by using following:

REST query from search:

| rest splunk_server=local /services/data/indexes | table title splunk_server

Btool command on Search Head server:

 $Splunk_Home/bin/splunk btool indexes list --debug | grep "\["
0 Karma

lycollicott
Motivator

We have always assigned indexes to roles in this fashion, so I'm afraid I have to disagree with the caveat that we recently upgraded to 7.0. Perhaps that version is the reason we are seeing different behavior now.

0 Karma

somesoni2
Revered Legend

Wasn't aware of the upgrade. Could be a bug, but did you verify that above search/command gives you all the indexes?

0 Karma

lycollicott
Motivator

Those commands just list local definitions on the SH and that is indeed a match to the pane.

0 Karma

HeinzWaescher
Motivator

Same problem here, we are on 7.0.0 as well.
The search mentioned by somesoni2 does not show all available indexed on my SH as well. But I can search more indexes shown in the search result & in roles.

0 Karma

loatswil
Path Finder

Same results here. Rolling out a 7.0 SH that only sees a few of the available indexes (in Roles and using the REST call). On the 6.4.2 SH, ALL indexes show in the Roles pane but not in the REST call. The missing indexes are defined on the Indexers only. They show up in the Roles panel on 6.4.2 but NOT on 7.0.

0 Karma

lycollicott
Motivator

@loatswil @HeinzWaescher

Did you try the solution support gave me?

0 Karma

loatswil
Path Finder

Not yet, I was waiting to check with support, as you'd suggested 😉

0 Karma
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...