How to create a user with only ad-hoc searches permission?


Hi Splunk Experts

I have a set of set of users whom I just want them to allow only run ad-hoc searches. I don't want them to creating dashboard, reports and alerts. 

How it can be achievable ?

Any pointers to document will be helpful. 

Thanks in advance


Labels (1)
Tags (1)
0 Karma


To restrict a user from scheduling searches, create a role without schedule_search capabilty.

I can't think of a way to really forbid a user from running an ad-hoc report or dashboard since they are based on as-hoc searches. You could try to remove user's edit_own_objects capability to forbid user from creating own dashboards and reports (for the ones created by others or coming from the apps you could simply revoke permissions for user's role) but I'm not sure what you'll end up with in terms of such role's usefullness.

0 Karma


Thank you @PickleRick 

as per document  

edit_own_objects capability is already disabled for user role but still user will be able to create private dashboards in $SPLUNK_HOME/etc/users/<userhome> directory.  We clean this directory manually right now. 

We are looking for this role as a "read-only user who can run dashboard created by other power user and run searches". A typical requirement for support team. 

0 Karma


I don't think that's possible. You can try to make it more difficult for the user to create dashbboards. You could just fiddle with permissions and set some custom app as his default one. He could have just a search window and some pre-defined reports. It is most probably bypassable one way or another but still better than nothing. If you want to have a "strictly read-only" user (for example for compliance reasons), I'm not sure it's possible.

0 Karma




I don't recommend this as a production solution, but for exploration's sake, this may be possible on a self-hosted instance by preventing Splunk from writing private configuration settings to the user's Splunk home directory. For example, to prevent Splunk from writing to savedsearches.conf in the search app:

sudo chown root:root $SPLUNK_HOME/etc/users/<username>/search/local/savedsearches.conf
sudo chmod 0000 $SPLUNK_HOME/etc/users/<username>/search/local/savedsearches.conf

This assumes that Splunk is running as a non-root user and can't otherwise restore permissions without a system administrator's intervention.

When the user attempts to save a report, they'll receive an error message:

In handler 'savedsearch': Data could not be written: /<username>/search/savedsearches/<name>/search: ...

 I do recommend contacting Splunk support or your Splunk account manager for further guidance.

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...