Splunk Search

how to troubleshoot role restriction presidence

hartfoml
Motivator

Somehow all users on my staging server are restricted to some kind of search term.

When I do this each on any other search head it works as expected

index=_internal host="license-master" source=*license_usage.log type="Usage" idx=foo

when I execute this on the staging system i can only get info about the "os" index and the "sos" index.

No other index is showing. There are a few other really strange things about limited search capabilities on the staging system. How too I look for search restrictions that would affect all users, even admin.

Thanks for your help

0 Karma

woodcock
Esteemed Legend

As an admin, go to Settings -> Access controls -> Roles -> user. There you will see several search restriction settings. See if these are different between the two systems and check all Roles.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...