Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Custom Role - Unable to search any indexes

potluri_88
Explorer
‎08-28-2019 06:38 AM

I have setup splunk enterprise 7.2.1.
Custom roles are created under $SPLUNK_HOME/etc/system/local/

authorize.conf

[role_splunk-user]
cumulativeSrchJobsQuota = 50
get_metadata = enabled
get_typeahead = enabled
rest_properties_get = enabled
search = enabled
srchDiskQuota = 50
srchIndexesAllowed = abc
srchIndexesDefault = abc
srchJobsQuota = 5

=============================================

authentication.conf
[authentication]
authType = LDAP
authSettings = splunkuser

[splunkuser]
bindDN = xxxx
bindDNpassword = xxxx
charset = utf8
groupBaseFilter = xxxx
groupNameAttribute =xxxx
SSLEnabled = 0
network_timeout = 20
groupMemberAttribute = member
port = 389
timelimit = 15
host = xxxx
realNameAttribute = displayName
userNameAttribute = samaccountname
sizelimit = 1000
groupMappingAttribute = dn
groupBaseDN = xxxx
nestedGroups = 0
userBaseDN =xxxx
anonymous_referrals = 1

[roleMap_splunkuser]
splunk-user = xyz

User is part of the LDAP Group 'xyz'. User is able to login to splunk enterprise but not able to search any events on search string "index=abc"

Tags (1)
0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎08-28-2019 04:09 PM

Hi. Shouldn't the authorize.conf stanza have

[role_splunkuser]

instead of

[role_splunk-user]
0 Karma
Reply

potluri_88
Explorer
‎08-29-2019 01:52 AM

splunkuser is the strategy used and splunk-user is the role.

Both are different.

0 Karma
Reply

potluri_88
Explorer
‎08-28-2019 06:43 AM

Also , please let me know if you need to define any of the below attributes for the custom roles under $splunk_home/etc/system/local/authorize.conf
srchDiskQuota = 100
srchJobsQuota = 3
rtSrchJobsQuota = 6
srchMaxTime = 100days
cumulativeSrchJobsQuota = 50
cumulativeRTSrchJobsQuota = 100
srchFilterSelecting = true

OR

Will these be picked from [default] stanza of $splunk_home/etc/system/default/authorize.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...