Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Troubleshoot messages about default indexes searched by the admin role

Troubleshoot Splunk messages about default indexes searched by the admin role in the Splunk platform.

Default admin searches include summary indexes

When the admin role searches summary indexes by default, you can see decreased performance. You can stop seeing messages about this setting by limiting the indexes searched by the admin role or by disabling the search.

Limit the indexes searched by the admin role

Prevent the admin role from searching summary indexes. You can identify summary index names because the index names end in _summary, such as endpoint_summary.

  1. Select Settings > Access controls.
  2. Click Roles.
  3. Click admin.
  4. From Indexes click any summary index to remove it from the selected indexes.
  5. Click Save.

Disable the search to prevent messages

If you do not want to limit the indexes searched by the admin role, but you want to stop seeing messages, disable the search.

  1. Select Settings > Searches, reports, and alerts.
  2. Locate the Audit - Default Admin Search Indexes search.
  3. Select Edit > Disable.
  4. Click Disable.


Default admin searches include all non-internal indexes

When the admin role searches all non-internal indexes by default, you can see decreased performance. You can stop seeing messages about this setting by limiting the indexes searched by the admin role or disabling the search.

Limit the indexes searched by the admin role

Prevent the admin role from searching all non-internal indexes.

  1. Select Settings > Access controls.
  2. Click Roles.
  3. Click admin.
  4. From Indexes click All non-internal indexes to remove it from the selected indexes.
  5. Click Save.

Disable the search to prevent messages

If you do not want to limit the indexes searched by the admin role, but you want to stop seeing messages, disable the search.

  1. Select Settings > Searches, reports, and alerts.
  2. Locate the Audit - Default Admin Search All Non-Internal search.
  3. Select Edit > Disable.
  4. Click Disable.
Last modified on 22 November, 2021
PREVIOUS
Troubleshoot script errors in Splunk Enterprise Security
  NEXT
Troubleshoot messages about unnecessary read or write access to investigation KV store collections

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters