Splunk Dev

How can I give access to only a single index to a custom Role that I've created?

ilaila
New Member

I am trying to create a role that has access to only a single index and can only view the 'search' app.

The way I created the role was by copying all the capabilities and other settings from the 'user' role to my new role. The only differences are that the 'Indexes searched by default' and 'Indexes' list are limited to only the one index I want them to see. I then went to the 'Permissions' page for the Search app and gave the new role Read+Write permissions.

After creating a dummy user and placing it in the role, I logged in and found that indeed it only had access to the search app and could not see others. However when I attempt to execute a search, no results are returned. The search query I used was: 'index=my_custom_index'. The same query works if I run it as myself (an admin).

My splunk set up is: 3 search heads, 3 forwarders, 4 indexers, and a license server. I made all of the above changes on the captain search head's UI.

Are there any steps that I am missing? And are there any other troubleshooting techniques I can use? I've tried looking at the search job logs but there are no clear indications of what permissions were missing or what caused 0 results to be returned.

Tags (1)
0 Karma

somesoni2
Revered Legend

Check the job inspector and see what' the normalized query it's generating?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...