Hello All
I am not sure, why i am not able to use search like
host=*
but if i search like
index=* host=*
then it will work.
Not sure why. I need to use more fields to start searching but some are working some are not.
Hi @vishaltaneja07011993,
This is because running host=*
is the equivalent of running index="your user's role default searched indexes" host=*
.
If your requirement is that index=* host=*
and host=*
give you the same results then you need to add all your indexes to the list of indexes searched by default for your role.
To do so you can change this under Settings » Access controls » Roles » Your Role » Default indexes
Let me know if that helps.
Cheers,
David
Hello @DavidHourani
Nope it is not like that, in the roles i have mentioned by default access to All non Internal indexes
But still it is not running
So some other issue it is.
In the role you have two configs : Indexes searched by default
and Indexes
are they both set to All non Internal indexes ?
Hello @davidhourani
yes
For Indexes searched by default
it is having All Non Internal indexes
& for indexes search one has both All Non Internal Indexes & All Internal Indexes
you have the same when running a search with sourcetype=*
instead of host=*
?
No with sourcetype=* it is working good.
could be a bug then... it's weird...long shot but try something like host="*"
maybe it has something to do with the format..
Nope . No luck
@vishaltaneja07011993 You can use Access Control in Splunk to define some default index which can be search by your user role without defining the index=
in the search query.
Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Security/Addandeditroles#Add_or_edit_a_role
Hello @niketnilay
Nope it is not like that, in the roles i have mentioned by default access to All non Internal indexes
But still it is not running
So some other issue it is.
@vishaltaneja07011993 I am not sure why that is not working. If proper access has been provisioned this should work out of the box. You should raise a Splunk Support case to have them look into configuration issue.
What are the indexes that show up when you run the following query?
| tstats count where index=* by index
It is giving mostly all the indexes