I have index1, index2, and index 3. I want role_user to have access to all three within a specific app. Is there a way to do this? In $SPLUNK_HOME/etc/system/local my authorize.conf has  srchIndexesDefault: index1;index2 srchIndexesAllowed: index1;index2  In $SPLUNK_HOME/etc/apps/myApp/local my authorize.conf has  srchIndexesDefault: index1;index2;index3 srchIndexesAllowed: index1;index2;index3 Of course, this doesn't work. I understand /system/local wins this conflicting parameter fight. Is there anyway to grant the user role access to index3 within myApp? Or would I have to create a different role that inherits role_user and adds index3 access to achieve this?  Thanks in advance. ... View more

I'm not sure if there is an answer to this question but as of right now, I'm using fieldsummary to get a better understanding of my data and specific fields in my data. Buuut, that's about where my fieldsummary journey ends. Are there any other interesting ways you use fieldsummary? ... View more