Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Troubleshoot messages about default indexes searched by the admin role

Troubleshoot Splunk messages about default indexes searched by the admin role in the Splunk platform.

Default admin searches include summary indexes

When the admin role searches summary indexes by default, you can see decreased performance. You can stop seeing messages about this setting by limiting the indexes searched by the admin role or by disabling the search.

Limit the indexes searched by the admin role

Prevent the admin role from searching summary indexes. You can identify summary index names because the index names end in _summary, such as endpoint_summary.

  1. Select Settings > Access controls.
  2. Click Roles.
  3. Click admin.
  4. From Indexes click any summary index to remove it from the selected indexes.
  5. Click Save.

Turn off the search to prevent messages

If you do not want to limit the indexes searched by the admin role, but you want to stop seeing messages, turn off the search.

  1. Select Settings > Searches, reports, and alerts.
  2. Locate the Audit - Default Admin Search Indexes search.
  3. Select Edit > Deactivate / Turn off.
  4. Click Deactivate / Turn off.


Default admin searches include all non-internal indexes

When the admin role searches all non-internal indexes by default, you can see decreased performance. You can stop seeing messages about this setting by limiting the indexes searched by the admin role or disabling the search.

Limit the indexes searched by the admin role

Prevent the admin role from searching all non-internal indexes.

  1. Select Settings > Access controls.
  2. Click Roles.
  3. Click admin.
  4. From Indexes click All non-internal indexes to remove it from the selected indexes.
  5. Click Save.

Turn off the search to prevent messages

If you do not want to limit the indexes searched by the admin role, but you want to stop seeing messages, turn off the search.

  1. Select Settings > Searches, reports, and alerts.
  2. Locate the Audit - Default Admin Search All Non-Internal search.
  3. Select Edit > Deactivate / Turn off.
  4. Click Deactivate / Turn off.
Last modified on 11 August, 2023
Troubleshoot performance issues by editing saved searches in Splunk Enterprise Security   Troubleshoot messages about unnecessary read or write access to investigation KV store collections

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters