Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to Access on Splunk Enterprise

Roy_9
Motivator
‎12-16-2024 10:13 AM

Hello,

I have an issue where I was part of multiple roles on Splunk Enterprise and Splunk Enterprise Security, the same role and saml group has access to all the indexes, On the Splunk Enterprise i am part of 3 roles(A, B, C) which has search filters but I am already part of role D which has access to all indexes but when I am trying to search any data, I am not getting any data, But On Enterprise Security SH, I am able to view all the data as expected.

Is it something like precedence issue on Splunk Enterprise SH that is causing the issue?Please help me.

 

 

Thanks

0 Karma
Reply

marnall
Motivator
‎12-16-2024 11:09 AM

At first glance I would suspect that the search filters for your roles are contradicting each other and filtering out all events.

E.g. if you have the following roles with search filters:

ROLE A - (index=index1 sourcetype=something)

ROLE B - (index=index2 sourcetype=something)

Then if you have role A and B, then Splunk will force you to search with "(index=index1 sourcetype=something) (index=index2 sourcetype=something)" which will retrieve 0 events because none exist in both index1 and index2 at the same time.

Are you able to post your sanitized search filters to look for contradictory filters?

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...