- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Setting Write Permission on an Index - to be used ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Setting Write Permission on an Index - to be used as a Summary Index
I have created three new indexes (to be used as summary indexes for someone's saved searches.)
When I (as a member of the Admin role in Splunk) go to create a new Saved Search, I am able to select these new indexes from the "Select the summary index" drop-down list.
When the user that I created these indexes for attempts to select a summary index, their only option is the default summary index "summary."
This user is a member of a role with srchIndexesAllowed = *
I know srchIndexesAllowedis a read permission. How do I set a write permission for the role on these new summary indexes so they can select them to be used in their saved searches?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This just came up for me. Apparently the user has to have the "indexes_edit" capability.
That's not so great. Indexes don't have permissions like other objects at this point. Perhaps they should? Read instead of adding read access at the role level? Write to allow collect to function, and therefore summary indexing?
The confusing thing would be that this setting simply couldn't apply at index time, since events don't have permissions when they arrive at the indexers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I look at the role in the web GUI (Manager » Access controls » Roles), the very last item is titled "Indexes" and provides a list of "available indexes" which lists all of the indexes from which we can select indexes available to the role. The "Selected search indexes" for this role is "All non-internal indexes" - this is because in authorize.conf, we have specified the role has srchIndexesAllowed=*.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, that was my only suggestion! Commenting to bump this thread - hopefully someone else can help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the allowed indexes for the role; it's the last item in the role configuration. Do the new summary indexes appear in the list as allowed for this role? If not, then the user will not be able to "see" the indexes, much less write to them, regardless of their permissions.
Modern way of developing distributed application using OTel
Enterprise Security Content Update (ESCU) | New Releases
Archived Metrics Now Available for APAC and EMEA realms
