I've got a Splunk Installation with multiple independent Splunk Roles that grant access to individual indexes and also list that index as the default search index. My assumption was that the SrchIndexesDefault field would be OR'd between the various group memberships, similar to how the srchFilter works, so that the final default search indexes would be the combination of all of the individual groups.
However, I have found that instead it is the final Splunk group that provides the SrchIndexesDefault value.
I.e. if the user was a member of foo and goo , it would be the SrchIndexesDefault from goo that would apply to the user.
Two questions:
Am I missing something here, or is this implementation of SrchIndexesDefault working as designed?
What is the recommended manner for granting access to multiple independent indexes? I am considering creating higher-level groups that inherit the values of the lower level groups, but I would prefer to preserve my building block approach if possible.
Thanks!
Chris Bowles
... View more