This is a new install. I am trying to add new data and getting an error message:
"You do not have the capability to add data. Please contact your administrator"
This was installed from my Unix team, under the root user. I am assigned another account with full rights on the server.
Is there something that I am missing to be able to get this to work?
Thank you
I was having this same issue. My issue was resolved by having an index that was not disabled on the host since it was an intermediate forwarder.
Hi jclark4, you'll need to make sure that you have administrative capabilities in the context of the Splunk instance you are trying to modify. Check out the admin manual for more info on this. Essentially, you'll want to make sure that your Splunk account is in the admin role. http://docs.splunk.com/Documentation/Splunk/6.0.2/Admin/Aboutusersandroles
Otherwise, you can directly edit the filesystem, modifying inputs.conf as desired to setup file monitor, scripted inputs or whatever config you want to get the data in.
Please let me know if this helps!
My account is in the admin role, but i still get that message
Run splunk btool authorize list
to check that the role you have still has the capabilities associated with adding data (edit_input_defaults, edit_monitor, indexes_edit, list_inputs, etc) Perhaps someone messed around with the capabilities given to default roles.
I've verified this, it looks correct:
edit_input_defaults = enabled
edit_monitor = enabled
indexes_edit = enabled
list_inputs = enabled