Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Appending to srchIndexesDefault / srchIndexesAllowed

southeringtonp
Motivator
‎09-03-2010 02:11 PM

For a given role, is there a way to add extend the list of allowed/default indexes, without specifying the entire list?

I know that this can be overriden in an app, but specifying the entire list at the app level seems like asking for trouble - sooner or later two apps will conflict.

For example, given the default configuration:

[role_admin]
srchIndexesAllowed = *;_*
srchIndexesDefault = main;os

Is there a macro or variable substitution that would allow tacking on, similar to how one would append new directories to $PATH or %PATH% in the operating system? I'd like to be able to do something like:

[role_admin]
srchIndexesAllowed = $srchIndexesAllowed$;newindex
srchIndexesDefault = $srchIndexesDefault$;newindex
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎09-03-2010 03:29 PM

Roles can inherit other roles, so in this case it would make sense to have a role that inherits the base set of indexes. For example, you could have a role_base and a role_extra_stuff:

[role_base]
srchIndexesAllowed = main
srchIndexesDefault = main

[role_extra_stuff]
importRoles=role_base
srchIndexesAllowed = new_index
srchIndexesDefault = new_index

The final index capabilities would be role_base having the base set of indexes, and role_extra_stuff having both the base and specific indexes.

View solution in original post

Reply
Solved! Jump to solution
Solution

Simeon
Splunk Employee
Splunk Employee
‎09-03-2010 03:29 PM

Roles can inherit other roles, so in this case it would make sense to have a role that inherits the base set of indexes. For example, you could have a role_base and a role_extra_stuff:

[role_base]
srchIndexesAllowed = main
srchIndexesDefault = main

[role_extra_stuff]
importRoles=role_base
srchIndexesAllowed = new_index
srchIndexesDefault = new_index

The final index capabilities would be role_base having the base set of indexes, and role_extra_stuff having both the base and specific indexes.

Reply
Solved! Jump to solution

yoho
Contributor
‎05-31-2013 06:42 AM

Note that "importRoles=role_base" will not work, it should be "importRoles=base" instead...

Reply
Solved! Jump to solution

southeringtonp
Motivator
‎09-03-2010 05:08 PM

Does that mean that it is not possible to have a role inherit from [role_extra_stuff] and not have it be able to access new_index?

For example, what if there are settings in [role_extra_stuff] that would be also in [role_one_more]? Those settings would have to be copied into [role_one_more] directly rather than having a third level that inherits from [role_extra_stuff]. Is that right?

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...