Splunk Search

Are there inherited properties/restrictions when using collect to copy from one index to another?


We were presented with a situation where non-admin users needed access to Splunk license data from the _internal index, though to whom we can not grant admin access/access to the _internal index.

The solution we came up with was to generate a new index and use a scheduled report/search using collect to move only license event to this new index and give access to the new index on a role-basis appropriate for these users. This did not work as the users with roles who should have read access to this index cannot see any events, only admin can and I am struggling to figure out why.

This is the basic search used to copy events:

index=_internal source=*license_usage.log type=Usage | collect index="collect_license"

is scheduled to run every 15 min collecting data for the past 15 min.

The report is set to Display for App with read access granted to Everyone. The job runs, collect does "copy" data to the new index where admin users can search the index. However, the other roles with access to the index cannot.

We cannot see, or find any indications of restrictions on the "stash" sourcetype in the documentation, online or in our environment. Users have a role-based access to this new index though for some reason are not allowed access to events in the index turning up empty results when searching.

So I hit a wall here,  I see no reason why the intended users lack access to events in the new index. The only thing left I can imagine is if there is any inherited property included when "extracting" and "copying" using collect maintaining some restriction from the source index.

Any information and/or suggestions that could help solve this would be greatly appreciated



Labels (1)
Tags (1)
0 Karma


Question is if the users don't see any raw events in the collect_license index or do you have any searches/reports that are not working on that index.

That's because by default the sourcetype is changed to "stash" for collected events and thus your field extractions from the source sourcetype (ugly wording, I know) won't work.

Other possible issue is that the time of events might change. Though the docs say "If you apply the collect command to events that do not have timestamps, the command designates a time for all of the events using the earliest (or minimum) time of the search range", I find it not entirely true. For example, I did a simple

index=winevents earliest=-1d@d latest=@d | collect index=test2

on my home splunk free installation and even though original events had the timestamp set, I got all events in destination index timestamped at current time (2021-12-17T16:06:41.000+01:00).

So your events might also be getting timestamped at wrong point in time.


0 Karma


Thank you @PickleRick for the prompt feedback

The users see no events, _raw or tohetwise regardles of time-frame.

(I did notice the missing fields so I just made some rex extractions for them to get the fields they need.)

Timestaps seem OK

BTW, excellent username

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...