Splunk Search

how to troubleshoot role restriction presidence


Somehow all users on my staging server are restricted to some kind of search term.

When I do this each on any other search head it works as expected

index=_internal host="license-master" source=*license_usage.log type="Usage" idx=foo

when I execute this on the staging system i can only get info about the "os" index and the "sos" index.

No other index is showing. There are a few other really strange things about limited search capabilities on the staging system. How too I look for search restrictions that would affect all users, even admin.

Thanks for your help

0 Karma

Esteemed Legend

As an admin, go to Settings -> Access controls -> Roles -> user. There you will see several search restriction settings. See if these are different between the two systems and check all Roles.

0 Karma