Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Any ideas on how to disable outputcsv for users?

the_wolverine
Champion
‎11-14-2018 09:29 AM

Users are using outputcsv which generates the output on our filesystem which they cannot access as non-admins. How can we prevent them from using it (other than stating that fact).

It is dangerous since this output is generated in the same location as working files ($SPLUNK_HOME/var/run/...)

Reference: https://answers.splunk.com/answers/416877/will-csv-files-produced-by-the-outputcsv-command-b.html

outputlookup is allowed so we cannot remove output_file capability.

0 Karma
Reply

sandeeprachuri
Path Finder
‎11-14-2018 11:03 AM

@the_wolverine, You can restrict the users using roles and capabilities from Access controls. The one capability you can remove is "output_file" : Lets the user create file outputs, including outputcsv (except for dispatch=t mode) and outputlookup.

Above is the definition from Splunk docs.

You can also control the user access from local.meta file. Remove write access to those users for a specific file.

Hope this helps.

Thanks,
Sandeep

0 Karma
Reply

the_wolverine
Champion
‎11-14-2018 11:16 AM

Yes, however our users MUST be allowed to outputlookup. So cannot remove this capability.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-14-2018 06:37 PM

Training seems to be your only solution, then.

How exactly do they keep doing "outputcsv"?

Hmm, though now that I've said that, I wonder if there might be a way to disable the command itself? Maybe look into a local commands.conf that ... I'm not sure, redirects "outputcsv" to a broken thing or something?
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Commandsconf

Interesting idea, let me know if that leads you anywhere or if that looks like it might work, but you end up with further questions.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...