Reporting
Highlighted

Any ideas on how to disable outputcsv for users?

Champion

Users are using outputcsv which generates the output on our filesystem which they cannot access as non-admins. How can we prevent them from using it (other than stating that fact).

It is dangerous since this output is generated in the same location as working files ($SPLUNK_HOME/var/run/...)

Reference: https://answers.splunk.com/answers/416877/will-csv-files-produced-by-the-outputcsv-command-b.html

outputlookup is allowed so we cannot remove output_file capability.

0 Karma
Highlighted

Re: Any ideas on how to disable outputcsv for users?

Path Finder

@thewolverine, You can restrict the users using roles and capabilities from Access controls. The one capability you can remove is "outputfile" : Lets the user create file outputs, including outputcsv (except for dispatch=t mode) and outputlookup.

Above is the definition from Splunk docs.

You can also control the user access from local.meta file. Remove write access to those users for a specific file.

Hope this helps.

Thanks,
Sandeep

0 Karma
Highlighted

Re: Any ideas on how to disable outputcsv for users?

Champion

Yes, however our users MUST be allowed to outputlookup. So cannot remove this capability.

0 Karma
Highlighted

Re: Any ideas on how to disable outputcsv for users?

SplunkTrust
SplunkTrust

Training seems to be your only solution, then.

How exactly do they keep doing "outputcsv"?

Hmm, though now that I've said that, I wonder if there might be a way to disable the command itself? Maybe look into a local commands.conf that ... I'm not sure, redirects "outputcsv" to a broken thing or something?
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Commandsconf

Interesting idea, let me know if that leads you anywhere or if that looks like it might work, but you end up with further questions.

0 Karma