How to troubleshoot the "forbidden" error, when it appears on Kibana portal during saving a search result?

Issue Description

This error message usually occurs when an item interferes with the saving of data to the Elasticsearch indices.

Resolution

Solution 1

Check if there is enough free space on the Elasticsearch storage drive. If there is less free space, check if the index for the current month ("TenantName-yyyy.mm") is set to read-only mode. Steps to validate read-only mode and remove out of the same are given below **.

Solution 2

Check if the .kibana index is set into read only mode. Steps to validate read only mode and remove out of the same are given below **.

Solution 3

If X-Pack is enabled, ensure the appropriate roles are provided to the user being used. If not sure, ensure "Minimum privileges set for all spaces" is set to "All".

** Steps to validate "Read only" mode for index and fixing it:

1. Navigate to the "Management" pane.
2. Select Index management, under the Elasticsearch section.
3. If you are searching for system indices (.kibana, .monitoring, etc.) enable the "Show system indices" option.
4. Select the index from the list whose setting needs validation.
5. On the index pane that appears, select the "Settings" tab. The "read_only_allow_delete" property is available here. If the property is set to true, this would mean the index is in read-only mode and does not accept new data.
6. To remove the read-only property on the index, navigate to the "Edit settings" pane and set the "read_only_allow_delete" to false and click on Save.