Troubleshoot messages about default indexes searched by the admin role in Splunk Enterprise Security
Issue
Performance issues occur when the admin role searches summary indexes by default on the Splunk platform. Summary index names end in _summary, such as endpoint_summary.
Cause
Default admin searches include all non-internal indexes. When the admin role searches all non-internal indexes by default, you see decreased performance.
Solution
Stop seeing messages about this setting by limiting the indexes searched by the admin role or by disabling the search.
Limit the summary indexes searched by the admin role
Follow these steps to prevent the admin role from searching summary indexes:
- Select Settings and then select Access controls.
- Select Roles.
- Select admin.
- From Indexes, select any summary index to remove it from the selected indexes.
- Select Save.
Limit the non-indexes searched by the admin role
Prevent the admin role from searching all non-internal indexes.
- Select Settings > Access controls.
- Click Roles.
- Click admin.
- From Indexes click All non-internal indexes to remove it from the selected indexes.
- Click Save.
Turn off the search to prevent messages
If you do not want to limit the indexes searched by the admin role, but you want to stop seeing messages, turn off the search.
Follow these steps to turn off the search:
- Select Settings and then select Searches, reports, and alerts.
- Locate the Audit - Default Admin Search Indexes search or the Audit - Default Admin Search All Non-Internal search..
- Select Edit and then select Deactivate / Turn off.
- Select Deactivate / Turn off.
| Troubleshoot performance issues by editing saved searches in Splunk Enterprise Security | Troubleshoot messages about unnecessary read or write access to investigation KV Store collections |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Download manual
Feedback submitted, thanks!