I configured a new role to inherit new default settings but the srchDiskQuota and srchJobsQuota is not being honored by the new role. Anyone else seen this issue?
[role_base] srchDiskQuota = 1000 srchJobsQuota = 5 [role_new] importRoles = base
[role_new] srchDiskQuota = 100 srchJobsQuota = 3
(these are the defaults that ship with Splunk)
This is how it is supposed to work.
The documentation says that role inheritance applies to capabilities and indexes. The other settings are not inherited.
That would be my experience as well.
Can you point to the section of documentation that indicates only capabilities and indexes are inherited? I didn't interpret the spec file in that way.
* Semicolon delimited list of other roles and their associated capabilities that should be imported.
* Importing other roles also imports the other aspects of that role, such as allowed indexes to search.
* By default a role imports no other roles.
This bit me recently as well; the documentation piece that implies all parts of a role should be imported is Importing other roles also imports the other aspects of that role, such as allowed indexes to search.
I can't think why it actually works like it does. I create a templated role and use that as my import for other roles and then I have to go to those other roles anyway and fill in all the stuff that wasn't part of the import with the same exact values.
Crazy. I'd like to highlight another spot in official documentation confirming that roles' settings are imported:
* Maximum time span of a search, in seconds.
* This time window limit is applied backwards from the latest time
specified in a search.
* By default, searches are not limited to any specific time window.
* To override any search time windows from imported roles, set this to '0'
(infinite), as the 'admin' role does.
* -1 is a special value that implies no search window has been set for
* This is equivalent to not setting srchTimeWin at all, which means it
can be easily overridden by an imported role
Also, in my Splunk, "User-level concurrent search jobs limit" is successfully inherited from parent role, tested.
Interesting. I wonder if this is then a bug in a previous version that they didn't want to acknowledge as a bug but secretly fixed. It has happened.