Splunk Search

how to troubleshoot role restriction presidence


Somehow all users on my staging server are restricted to some kind of search term.

When I do this each on any other search head it works as expected

index=_internal host="license-master" source=*license_usage.log type="Usage" idx=foo

when I execute this on the staging system i can only get info about the "os" index and the "sos" index.

No other index is showing. There are a few other really strange things about limited search capabilities on the staging system. How too I look for search restrictions that would affect all users, even admin.

Thanks for your help

0 Karma

Esteemed Legend

As an admin, go to Settings -> Access controls -> Roles -> user. There you will see several search restriction settings. See if these are different between the two systems and check all Roles.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...