Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Assigning User Permissions to Update Forwarders

bteele
New Member
‎05-25-2018 07:06 AM

Is there a way to assign permissions to Splunk users that will allow them access to delete old forwarders from Forwarder Management and rebuild the forwarder assets under Monitoring Console, but not grant them full admin rights to the rest of the system? I'm looking to get granular on the admin permissions, as different shifts will be responsible for updating the forwarders list as servers are commed and decommed.

We're on Splunk Enterprise 7.0.2 with a distributed environment with a dedicated deployment server.

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎05-25-2018 08:44 AM

hello there,

when you say "delete" from forwarder management, do you mean to remove the name of the forwarder that appears as down or not phoned home for a while?
as for the forwarders list under MC, not sure why manually do so as it updates every interval you set ...
can you elaborate a little on your use case and the drive behind it?

0 Karma
Reply

bteele
New Member
‎05-25-2018 08:55 AM

We have an alert that fires off every hour if any forwarders are "missing" ie not current (out of box "DMC Alert - Missing forwarders").

When a server is decommed in our environment, the client instance in Forwarder Management alerts as not having phoned home. We have to then go in and "delete" the entry in Forwarder Management, and then also rebuild the forwarder assets in Monitoring Console. If we don't do the latter, we continue to get the missing forwarders alert, even if it's been deleted from Forwarder Management.

What I'm looking for are the permissions required to manually complete these two tasks. If the "DMC Forwarder - Build Asset Table" report (which we have enabled) is supposed to clean up the table, then it's not working. If I don't get notified of a decomm, then the forwarder goes missing, and I have to log in to delete it and rebuild. I'm looking to give that ability to others as well.

If there's another functionality available that will automate the process, that'd be great, too. But our previous admin said it had to be done manually.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...