Developing for Splunk Enterprise

Python SDK: How to create a user that can only write to specific indexes?

Path Finder


I am working with code that sends data to Splunk indexes via the Python SDK (splunklib.client). I want to create a custom user for the purpose of this code. That is, a user who's privileges are strictly that of writing data into a small number of indexes and be otherwise restricted from writing elsewhere.

I currently have a user with just the capability 'edit_tcp' and the 4 indexes I want specified for search capability, but this does not seem to restrict the write capability when using the .send() python function.

Any help would be apreciated, thanks.


When you created your user, what role did you give it? Did this role Inherit from another role? If yes, then the user will be able to write into any indexes that were allowed for all the "parent" roles in the inheritance tree.

0 Karma

New Member

We have a similar use case, and are running into the same problem, on 6.4.0. I have a user with a role that grants the below capabilities, but has no allowed indexes for search (only for testing, in real life, it would be able to search a subset of the available indexes):


This role inherits from no other roles, and the user has no other roles.

When authenticated as this user, I get no search results, and cannot use the collect command to write into any index, as is expected (or, when I have indexes allowed for the associated role, I can only use collect to write into the indexes that I am permitted to search).

However, using the Splunk Python SDK (via clientInstance.index[<index_name>].submit()) or the REST API (via /services/receivers/{simple,streaming}), while authenticated as this user, I am able to write into any index, regardless of which indexes I am permitted to search.

0 Karma



I have a similar concern, I am building a Splunk app to capture user input and then POST it to an index. Users have edit_tcp capability and they can post data to any index irrespective of whether which they have read access to it or not.

0 Karma