Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- two indexes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
two indexes
A power user cannot get results from index=* or index=foo OR index=bar when an admin can
Below is the authorize.conf changes
[role_user]
srchMaxTime = 8640000
srchDiskQuota = 250
[role_admin]
srchIndexesDefault = main
srchMaxTime = 8640000
[role_power]
cumulativeRTSrchJobsQuota = 400
cumulativeSrchJobsQuota = 200
srchFilter = *
srchMaxTime = 8640000
When the power user runs the query they are getting results from foo index but nothing from bar index. When the Power user run index=foo he gets results and when he runs index=bar he gets results.
When the admin user run the query they are getting results from both foo and bar indexes.
Let me know what I might be missing to get the fixed for our power users.
Best regards,
Logan Rhamy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
The power user with a index=* will get its default indexes, which if you haven;t changed them, are only main. So if you are searching index=* and aren't getting results from one index, it means you may need to add bar index to srchIndexesAllowed for the role power_user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the quick answer. When Power user searches bar alone he gets results. I assume that would mean he has access to search that index. Let me know if I am mistaken.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it does mean he can get data from that index indeed. No errors occur in that search? Are you sure both searches time ranges are the same?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it is a dashboard search that is just opened in search so we are 100% sure of the match query and time frame.
No errors occur besides the lack of results from one of the indexes
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
