Splunk Search

Search only works for index=* in flashtimeline

Ant1D
Motivator

Hey,

I have an instance of Splunk which is not functioning as desired.

When I execute a search in the flashtimeline view, results will only be returned when the search starts with index=the_index ...

If I do not specify the index at the beginning of the query but instead choose to start the search query with something that resides in an index (e.g. * OR env="uat") this will swiftly returns no results when it is executed.

Is there a parameter in the config somewhere which is causing this behaviour where search queries only return results when they begin with index=the_index?

Thanks in advance for your help.

0 Karma
1 Solution

okrabbe_splunk
Splunk Employee
Splunk Employee

By default, splunk user roles are set to search the main index. You must have indexed data into another index which is not added to the roles. Typically what you would want to do is make certain indexes searched by default for specific roles.

For example, lets say you have a "network" index that your network admins should be able to search. You would create a role for them by going to Manager -> Access Controls-> Roles. When you are creating a role you will see at the bottom of the screen a place to grant access to an index as well as "indexes searched by default".

If it is just for you as the admin you can also just edit the admin rule to search your index by default.

View solution in original post

MHibbin
Influencer

The typical index searched upon by Splunk is the default index, this is where inputs default to when they are set-up unless explicity defined (e.g. with the use of index = foo in the input stanza).

You can change the default index(es) to be searched upon in the under the Manager (top-right of Splunkweb), and then navigating to "Access Controls" and "Roles". Then selecting the role of your choice (e.g. Admin). Near the bottom of the new view is the header "Indexes searched by default". You can add your Index to the "selected indexes" panel here by simply clicking the name of it. Then click Save

Ant1D
Motivator

Thanks for your response

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

By default, splunk user roles are set to search the main index. You must have indexed data into another index which is not added to the roles. Typically what you would want to do is make certain indexes searched by default for specific roles.

For example, lets say you have a "network" index that your network admins should be able to search. You would create a role for them by going to Manager -> Access Controls-> Roles. When you are creating a role you will see at the bottom of the screen a place to grant access to an index as well as "indexes searched by default".

If it is just for you as the admin you can also just edit the admin rule to search your index by default.

Ant1D
Motivator

Thanks, it wasn't included in the default index search area. Problem solved

MHibbin
Influencer

HaHaHa! 😄

0 Karma

okrabbe_splunk
Splunk Employee
Splunk Employee

This one was an exercise in speed typing 🙂

0 Karma

MHibbin
Influencer

ahhh... beat me to it! by 26 seconds! ... up-vote for that

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...