All Apps and Add-ons

What are the minimum Splunk capabilities required to use the Splunk TA-SyncKVStore app?

woodcock
Esteemed Legend

I checked the listing on Splunkbase and the documentation does not include this information:
https://splunkbase.splunk.com/app/3519/

0 Karma
1 Solution

woodcock
Esteemed Legend

My client was interested in trying to create a special minimal-capability, least-privileged user to run the sync.
I am used to seeing a "documentation" page on Splunkbase with the README text in it but this app doesn't have that.
What it does have, is a more recent version of the app, the source code, notes, and update history on GitHub here:
https://github.com/georgestarcher/TA-SyncKVStore

To work, the user must be able to hit the REST API endpoints used (these are capabilities) and have read permission to the source collection and write permission to the destination collection (if that is your destination type). The latter are KO meta settings unrelated to roles. So:
The user MUST have this capability to read the KV store: rest_properties_get.
Depending on what you are doing with it, you might also need this capability: rest_properties_set.
There is another REST-related capability that you should not need, but I will list it for completeness: rest_apps_view.

View solution in original post

0 Karma

woodcock
Esteemed Legend

My client was interested in trying to create a special minimal-capability, least-privileged user to run the sync.
I am used to seeing a "documentation" page on Splunkbase with the README text in it but this app doesn't have that.
What it does have, is a more recent version of the app, the source code, notes, and update history on GitHub here:
https://github.com/georgestarcher/TA-SyncKVStore

To work, the user must be able to hit the REST API endpoints used (these are capabilities) and have read permission to the source collection and write permission to the destination collection (if that is your destination type). The latter are KO meta settings unrelated to roles. So:
The user MUST have this capability to read the KV store: rest_properties_get.
Depending on what you are doing with it, you might also need this capability: rest_properties_set.
There is another REST-related capability that you should not need, but I will list it for completeness: rest_apps_view.

0 Karma

starcher
SplunkTrust
SplunkTrust

It is in the readme in the app when you download it. or see it in the git repo.
https://github.com/georgestarcher/TA-SyncKVStore/blob/master/README.md

Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...