Troubleshoot Log Observer Connect setup 🔗
This topic helps Log Observer Connect administrators and users resolve issues that might arise when searching Splunk platform indexes in Log Observer Connect.
Log Observer Connect users see unauthorized Splunk platform indexes 🔗
When searching in Log Observer Connect, users might see Splunk Enterprise or Splunk Cloud Platform indexes that are unauthorized for Log Observer Connect users.
Cause 🔗
All Splunk Enterprise and Splunk Cloud Platform users can list all indexes by default. However, if the indexes_list_all capability is enabled in authorize.conf, access to all indexes is limited to only those roles with this capability.
If Log Observer Connect users see an index in Log Observer Connect that is not authorized for Log Observer Connect users, contact your Splunk Enterprise or Splunk Cloud Platform administrator.
Solution 🔗
To limit Splunk platform indexes for Log Observer Connect users, a Splunk Enterprise or Splunk Cloud Platform administrator must follow these steps:
Log in as an administrator in your Splunk platform instance.
Splunk Cloud Platform administrators can skip this step. If the
indexes_list_allcapability is not present in your Splunk Enterprise instance, create a[capability::indexes_list_all]stanza inauthorize.conf. Once the configuration is set inauthorize.conf, theindexes_list_allcapability is deactivated for all roles. The administrator can then add this capability for select roles in the UI or inauthorize.conf.Enable
indexes_list_allcapability for the admin role and any other roles that need to access the indexes. For more information about adding capabilities to a role, see Define roles on the Splunk plaftorm with capabilities .Go to Settings > Roles and click the name of your Log Observer Connect service account role.
On the Capabilities tab, deselect
indexes_list_allto prevent Log Observer Connect users from seeing all Splunk platform indexes.