Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to Access on Splunk Enterprise

Roy_9
Motivator
‎12-16-2024 10:13 AM

Hello,

I have an issue where I was part of multiple roles on Splunk Enterprise and Splunk Enterprise Security, the same role and saml group has access to all the indexes, On the Splunk Enterprise i am part of 3 roles(A, B, C) which has search filters but I am already part of role D which has access to all indexes but when I am trying to search any data, I am not getting any data, But On Enterprise Security SH, I am able to view all the data as expected.

Is it something like precedence issue on Splunk Enterprise SH that is causing the issue?Please help me.

 

 

Thanks

0 Karma
Reply

marnall
Motivator
‎12-16-2024 11:09 AM

At first glance I would suspect that the search filters for your roles are contradicting each other and filtering out all events.

E.g. if you have the following roles with search filters:

ROLE A - (index=index1 sourcetype=something)

ROLE B - (index=index2 sourcetype=something)

Then if you have role A and B, then Splunk will force you to search with "(index=index1 sourcetype=something) (index=index2 sourcetype=something)" which will retrieve 0 events because none exist in both index1 and index2 at the same time.

Are you able to post your sanitized search filters to look for contradictory filters?

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...