We were presented with a situation where non-admin users needed access to Splunk license data from the _internal index, though to whom we can not grant admin access/access to the _internal index.
The solution we came up with was to generate a new index and use a scheduled report/search using collect to move only license event to this new index and give access to the new index on a role-basis appropriate for these users. This did not work as the users with roles who should have read access to this index cannot see any events, only admin can and I am struggling to figure out why.
This is the basic search used to copy events:
index=_internal source=*license_usage.log type=Usage | collect index="collect_license"
is scheduled to run every 15 min collecting data for the past 15 min.
The report is set to Display for App with read access granted to Everyone. The job runs, collect does "copy" data to the new index where admin users can search the index. However, the other roles with access to the index cannot.
We cannot see, or find any indications of restrictions on the "stash" sourcetype in the documentation, online or in our environment. Users have a role-based access to this new index though for some reason are not allowed access to events in the index turning up empty results when searching.
So I hit a wall here, I see no reason why the intended users lack access to events in the new index. The only thing left I can imagine is if there is any inherited property included when "extracting" and "copying" using collect maintaining some restriction from the source index.
Any information and/or suggestions that could help solve this would be greatly appreciated
Question is if the users don't see any raw events in the collect_license index or do you have any searches/reports that are not working on that index.
That's because by default the sourcetype is changed to "stash" for collected events and thus your field extractions from the source sourcetype (ugly wording, I know) won't work.
Other possible issue is that the time of events might change. Though the docs say "If you apply the collect command to events that do not have timestamps, the command designates a time for all of the events using the earliest (or minimum) time of the search range", I find it not entirely true. For example, I did a simple
index=winevents earliest=-1d@d latest=@d | collect index=test2
on my home splunk free installation and even though original events had the timestamp set, I got all events in destination index timestamped at current time (2021-12-17T16:06:41.000+01:00).
So your events might also be getting timestamped at wrong point in time.
Thank you @PickleRick for the prompt feedback
The users see no events, _raw or tohetwise regardles of time-frame.
(I did notice the missing fields so I just made some rex extractions for them to get the fields they need.)
Timestaps seem OK
BTW, excellent username