We have an indexer with multiple indexes separate from the SplunkWeb. I use distributed searches to access the indexes. Now I need to setup permissions per index.
Any ideas?
The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.
Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.
Forums: SplunkAdministration: Set permissions for roles to access specific indexes during distributed search
Previous Topic: Comparing two files | Next Topic: Multiple Directories having the same SourceType
Posts 1–3 of 3
Yes, look in the manual under authorize.conf (you can also do this via Manager > Roles):
http://www.splunk.com/base/Documentation/latest/Admin/Authorizeconf
srchIndexesDefault = <string>
* Semicolon delimited list of indexes to search when no index is specified
* These indexes can be wildcarded, with the exception that '*' does not match internal indexes
* To match internal indexes, start with '_'. All internal indexes are represented by '_*'
srchIndexesAllowed = <string>
* Semicolon delimited list of indexes this role is allowed to search
* Follows the same wildcarding semantics as srchIndexesDefault
This was partial fix. I had to specify specific indexes but also had to include the "request_remote_tok = enabled".
Still experiencing some oddness. summary pages will come back without all three columns filled out. Eg. at least one of the the three, Source, Sourcetype, Hosts will be completely blank and I'll receive an error banner at the top of the page.