Security

Splunk free and capability

Alive77
New Member

I just installed Splunk 6.6.2 free.
Is there a way to modify free user capability, in my situation I would like disable delete capability.

At this moment, I create a new user and i'm able to delete events using CLI, with command:

index= somethingtodelete | delete

Thanks in advance.

Tags (1)
0 Karma
1 Solution

ChrisG
Splunk Employee
Splunk Employee

If you are using the free Enterprise trial, then check alemarzu's suggestion.

If you are using Splunk Free, then there is no user or role management (see About Splunk Free in the Admin Manual).

The fact that you could create a user account suggests that you are using the 60-day free Enterprise trial, which is what you get when you first download and install Splunk Enterprise.

View solution in original post

ChrisG
Splunk Employee
Splunk Employee

If you are using the free Enterprise trial, then check alemarzu's suggestion.

If you are using Splunk Free, then there is no user or role management (see About Splunk Free in the Admin Manual).

The fact that you could create a user account suggests that you are using the 60-day free Enterprise trial, which is what you get when you first download and install Splunk Enterprise.

Alive77
New Member

I didn't create a user, as you said it is the user (no-user) of the Splunk-free version.
I modified the license from trial to free.

In he Admin Manual, about free version, there is not a description of the enabled capabilities.
I expected that even if there is not role management the events access/deletion could be managed.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Quoting from that topic: "All accesses are treated as equivalent to the admin user. There is only one role (admin), and it is not configurable. You cannot add more roles or create user accounts." The admin role has all the capabilities listed here, and you cannot configure or manage them under the free license.

0 Karma

Alive77
New Member

@ChrisG that's not true. According the manual, Admin has not the delete_by_keyword capability. In Splunk Free this capability is active.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Good correction, thank you!

0 Karma

alemarzu
Motivator

Hi there, edit the capabilities of the role related to that user or check if role user ineherits can_delete capability from other role.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...