topic Re: Restrict search command usage (rest in particular) in Splunk Search

Restrict search command usage (rest in particular)

JacobPN — Tue, 19 Feb 2019 19:56:50 GMT

I am looking to restrict the use of certain search commands for particular users / roles.
In particular I would like users not to be able to use the rest command.

I have created a role and only added the capabilities change_own_password, rtsearch, and search, while also restricting search access to two (empty) indexes. However, using the this query:

| rest services/data/indexes

users will still be able to see all indexes (on the standalone server). Is there a way to prevent this?

Re: Restrict search command usage (rest in particular)

jbrocks — Wed, 20 Feb 2019 12:51:30 GMT

You can finde a documentation about capabilities here. there are even some capabilities for the rest api e.g. dispatch_rest_to_indexers

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf?utm_source=answers&utm_medium=in-answer&utm_term=authorize.conf&utm_campaign=refdoc

Re: Restrict search command usage (rest in particular)

JacobPN — Wed, 20 Feb 2019 12:56:58 GMT

Thank you for your answer. I found the dispatch_rest_to_indexers capability. However the current Splunk setup is a standalone server. So not assigning this capability doesn't help in this case (in fact, I didn't assign it and the mentioned rest query can still be used). I think I need to disable the rest command all together somehow. Do you know if that's possible?

Re: Restrict search command usage (rest in particular)

jbrocks — Wed, 20 Feb 2019 14:28:10 GMT

I think you can use the restmap.conf to disable the restapi e.g. with acceptFrom

acceptFrom=<network_acl> ...
* Lists a set of networks or addresses to allow this endpoint to be accessed
  from.
* This shouldn't be confused with the setting of the same name in the
  [httpServer] stanza of server.conf which controls whether a host can
  make HTTP requests at all
* Each rule can be in the following forms:
    1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
    2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
    3. A DNS name, possibly with a '*' used as a wildcard (examples:
       "myhost.example.com", "*.splunk.com")
    4. A single '*' which matches anything
* Entries can also be prefixed with '!' to cause the rule to reject the
  connection.  Rules are applied in order, and the first one to match is
  used.  For example, "!10.1/16, *" will allow connections from everywhere
  except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)

Find the docu here: https://docs.splunk.com/Documentation/Splunk/7.2.4/Admin/Restmapconf

Hope this helps!

Re: Restrict search command usage (rest in particular)

JacobPN — Tue, 05 Mar 2019 10:42:42 GMT

Thanks for the reply! I have tried this, but I'm not sure what to edit exactly. Could you provide an example that would disable the particular rest command I mentioned?
Also, I'm not sure that whitelisting an ip-address would work? Wouldn't the rest command from the search bar use localhost? Haven't been able to try this, since I'm not sure what to edit in de restmap.conf file.

Re: Restrict search command usage (rest in particular)

Bar_Ronen — Mon, 10 May 2021 19:02:48 GMT

Still have this issue?

I’ve found a solution for that.

Re: Restrict search command usage (rest in particular)

SierraX369 — Fri, 25 Jul 2025 13:43:29 GMT

@Bar_Ronen I would be interested.

Re: Restrict search command usage (rest in particular)

PickleRick — Fri, 25 Jul 2025 22:15:23 GMT

This is a relatively old thread and I don't recall seeing any of its participants active lately.

Anyway, I don't think you can disable the rest command as such. You can limit the scope of information the user can access (see the list_* capabilities) but I don't think you can prohibit a user from listing indexes on an AIO instalation.