Troubleshoot messages about default indexes searched by the admin role
Troubleshoot Splunk messages about default indexes searched by the admin role in the Splunk platform.
Default admin searches include summary indexes
When the admin role searches summary indexes by default, you can see decreased performance. You can stop seeing messages about this setting by limiting the indexes searched by the admin role or by disabling the search.
Limit the indexes searched by the admin role
Prevent the admin role from searching summary indexes. You can identify summary index names because the index names end in _summary
, such as endpoint_summary
.
- Select Settings > Access controls.
- Click Roles.
- Click admin.
- From Indexes click any summary index to remove it from the selected indexes.
- Click Save.
Turn off the search to prevent messages
If you do not want to limit the indexes searched by the admin role, but you want to stop seeing messages, turn off the search.
- Select Settings > Searches, reports, and alerts.
- Locate the Audit - Default Admin Search Indexes search.
- Select Edit > Deactivate / Turn off.
- Click Deactivate / Turn off.
Default admin searches include all non-internal indexes
When the admin role searches all non-internal indexes by default, you can see decreased performance. You can stop seeing messages about this setting by limiting the indexes searched by the admin role or disabling the search.
Limit the indexes searched by the admin role
Prevent the admin role from searching all non-internal indexes.
- Select Settings > Access controls.
- Click Roles.
- Click admin.
- From Indexes click All non-internal indexes to remove it from the selected indexes.
- Click Save.
Turn off the search to prevent messages
If you do not want to limit the indexes searched by the admin role, but you want to stop seeing messages, turn off the search.
- Select Settings > Searches, reports, and alerts.
- Locate the Audit - Default Admin Search All Non-Internal search.
- Select Edit > Deactivate / Turn off.
- Click Deactivate / Turn off.
Troubleshoot performance issues by editing saved searches in Splunk Enterprise Security | Troubleshoot messages about unnecessary read or write access to investigation KV store collections |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Feedback submitted, thanks!