Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

I am getting mostly info=denied events for specific users while searching for _audit index. While user can no longer query any indexes. Does that info indicates permission issues? or something else.

pateriaak
Explorer
‎08-02-2019 05:25 PM

I am getting info=denied events for specific users while searching for _audit index. What is the significance of this as users are not able to search any indexes? any leads.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-03-2019 12:24 AM

hi @pateriaak - Are you trying to say that the users who are getting info=denied in the _audit index are not able to search all other indexes as well, and not just the _audit index?
Most times splunk admins will restrict _audit access to most users as I won't want end users to see audit info.
But for this what i do is go to accesss controls > roles and manually remove _audit index from the specified user roles.
If the affected users in your case are not able to see/search any indexes I recommend that you navigate to one of the roles and check is that role has permission set for one of the indexes that they should have access to..

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-03-2019 12:24 AM

hi @pateriaak - Are you trying to say that the users who are getting info=denied in the _audit index are not able to search all other indexes as well, and not just the _audit index?
Most times splunk admins will restrict _audit access to most users as I won't want end users to see audit info.
But for this what i do is go to accesss controls > roles and manually remove _audit index from the specified user roles.
If the affected users in your case are not able to see/search any indexes I recommend that you navigate to one of the roles and check is that role has permission set for one of the indexes that they should have access to..

0 Karma
Reply
Solved! Jump to solution

pateriaak
Explorer
‎08-05-2019 08:41 AM

hi @Sukisen1981 I was unclear in my question about _audit index, I was seeing this info=denied in _audit index for a user as a splunk admin and yes later I was able to figure out access issues causing users not able to search any indexes. thank you for your comments and sorry about being unclear initially.

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-05-2019 09:07 AM

hi @pateriaak - Glad that you figured out the issue, had to be an index permission issue.
Please accept my answer if it helps similar issue resolution in a significant way or please post your answer if you did something very different to resolve the issue , for the benefit of the forum

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...