Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Troubleshoot messages about unnecessary read or write access to investigation KV store collections

Troubleshoot Splunk Web messages about roles that have unnecessary read or write access to the investigation KV store collections.

You might see the following error messages in Splunk Web:

Health Check: Review roles for unnecessary read or write access to the investigation_attachment collection and remove access if possible
Health Check: Review roles for unnecessary read or write access to the investigation_event collection and remove access if possible
Health Check: Review roles for unnecessary read or write access to the investigative_canvas_entries collection and remove access if possible
Health Check: Review roles for unnecessary read or write access to the files collection and remove access if possible
Health Check: Review roles for unnecessary read or write access to the investigation collection and remove access if possible
Health Check: Review roles for unnecessary read or write access to the investigative_canvas collection and remove access if possible

These messages are produced by the Audit - Investigation Collection ACLs saved search. The search looks for non-admin permissions to the investigation KV store collections.

Remove the unnecessary read or write access from the collections

If you see these messages, remove the corresponding [collections/<stanza_name>] collections from $SPLUNK_HOME/etc/apps/SplunkEnterpriseSecuritySuite/metadata/local.meta. Access to these collections by non-admin roles is not recommended. After making the changes, refresh the file cache from Splunk Web: http://<yoursplunkserver>:8000/en-us/debug/refresh?.

In a search head cluster environment, make these changes to the local.meta file on each member in the cluster, via the deployer if applicable. Then refresh the file cache from Splunk Web for each search head: http://<yoursplunkserver>:8000/en-us/debug/refresh?. Alternately, if there are more than a few members in the cluster, a rolling restart can be used instead of the debug/refresh command.

Last modified on 22 November, 2021
PREVIOUS
Troubleshoot messages about default indexes searched by the admin role
  NEXT
Troubleshoot failed intelligence downloads in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters