The Splunk platform stores ingested data sources in multiple indexes. Distributing data into multiple indexes allows you to use role-based access control and vary retention policies for data sources. The Splunk platform configures all roles to search only the main index by default.

To allow roles in Splunk Enterprise Security to search additional indexes, assign the indexes that contain relevant security data to the relevant roles.

1. In the Splunk Platform, select Settings.
2. Select Access controls and then select Roles.
3. Select the role name that you want to allow to search additional indexes.
4. Select the desired Indexes searched by default and Indexes that this role can search. Do not include summary indexes, as this can cause a search and summary index loop.
5. Save your changes.
6. Repeat for additional roles as needed.

If you do not update the roles with the correct indexes, searches and other knowledge objects that rely on data from unassigned indexes will not update or display results.