Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Defining new user in a new role with access to a specific index, does not show results

MoienABO
Loves-to-Learn Lots
‎12-05-2022 11:45 PM

Hi splunkers,

I've defined a new role and check all capabilities for that but just access to a specific index. when i search in that index, it doesn't show any results for me. With another user and another role i can search in that index. Something wired is when i change the user role to for example "user", the search results shown. is there a limit in number of roles can be defined in splunk? How can i troubleshoot these kindes of permissions in splunk logs?

Labels (1)
Labels
Tags (3)
0 Karma
Reply

MoienABO
Loves-to-Learn Lots
‎12-07-2022 12:25 AM

Thanks for your answer

all capabilities for that role are checked and in "indexes" section, cisco-asa, cisco-devices, cisco-ise, dhcp, fortigate and waf are checked. Here is a picture of authorize.conf:

Capture.PNG

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-07-2022 05:27 AM

And which index is the one you're trying to access and can't?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

MoienABO
Loves-to-Learn Lots
‎12-07-2022 05:56 AM

All of indexes listed above

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2022 06:34 AM

The number of roles defined is not the issue.  Either the role or the user is defined incorrectly.  Please share the settings for the role, in particular the "indexes" tab.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...