Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Standard User – UI File Upload – What Capabilities are required?

nickhills
Ultra Champion
‎07-14-2025 01:01 PM

I want to provide a standard Splunk user the ability to upload files via the web UI.
Specifically, so that members of our finance team can upload supplier bills for reconciliation with our platform data. In this scenario granting full sc_admin is certainly not appropriate!

I had (incorrectly) assumed that Power Users had this ability, but that is not the case.
There is an article from 2014 that details what was required 11 years ago, but the cited permissions in that article are no longer relevant in 2025: https://community.splunk.com/t5/Getting-Data-In/Capability-to-upload-data-files-via-the-gui-for-a-us...

What is required in Splunk >9.3 (specifically Splunk Cloud) to enable this feature for a non-admin user?


If my comment helps, please give it a thumbs up!
Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎07-14-2025 01:07 PM

 


After some reading https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/manage-splunk-...

Followed by experimenting and testing...

The current platform versions provide a capability called edit_upload_and_index which is defined as “Lets the user use the indexing preview feature when creating inputs in Splunk Web

This sounds highly promising, however granting that capability alone does not enable the Add Data Button in the settings menu..

In order to present the option to a standard user, additionally the edit_tcp_stream capability is also required – this is not immediately obvious, because the name of the capability masks the documented definition: “Lets the user send data to the the /services/receivers/stream REST endpoint.”

 

I suspect that this second permission has the side effect of granting access to the relevant rest API which allows the /manager/<app>/adddata button to be added to the settings menu.

These two permissions allow the Upload Data option to function, and whilst the option is also presented for other monitor types, the UI throws a (partial) 404 and prevents the user from adding anything more exotic.

It is not clear to me if this is an expected combination of permissions Splunk intends you to grant (in which case, I will submit a documentation update suggestion) or if the edit_upload_and_index capability is intended to facilitate the outcome on its own.


TLDR: To enable a non-admin user to upload files via the UI (in at least Splunk versions greater than 9.3), grant the edit_upload_and_index AND edit_tcp_stream capability to the users role.

 

If my comment helps, please give it a thumbs up!

View solution in original post

Preview file
27 KB
0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎07-14-2025 01:07 PM

 


After some reading https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/manage-splunk-...

Followed by experimenting and testing...

The current platform versions provide a capability called edit_upload_and_index which is defined as “Lets the user use the indexing preview feature when creating inputs in Splunk Web

This sounds highly promising, however granting that capability alone does not enable the Add Data Button in the settings menu..

In order to present the option to a standard user, additionally the edit_tcp_stream capability is also required – this is not immediately obvious, because the name of the capability masks the documented definition: “Lets the user send data to the the /services/receivers/stream REST endpoint.”

 

I suspect that this second permission has the side effect of granting access to the relevant rest API which allows the /manager/<app>/adddata button to be added to the settings menu.

These two permissions allow the Upload Data option to function, and whilst the option is also presented for other monitor types, the UI throws a (partial) 404 and prevents the user from adding anything more exotic.

It is not clear to me if this is an expected combination of permissions Splunk intends you to grant (in which case, I will submit a documentation update suggestion) or if the edit_upload_and_index capability is intended to facilitate the outcome on its own.


TLDR: To enable a non-admin user to upload files via the UI (in at least Splunk versions greater than 9.3), grant the edit_upload_and_index AND edit_tcp_stream capability to the users role.

 

If my comment helps, please give it a thumbs up!
Preview file
27 KB
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...