Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to give users the ability to modify the search string for an existing scheduled search without being able to change its schedule or create new ones?

mlf
Path Finder
‎09-30-2015 06:46 AM

I'm looking for a way to give a set of users the ability to modify an existing scheduled search's search string, without being able to change its schedule or create new scheduled searches. Based on what I know of the current capabilities, this doesn't seem possible since Splunk won't let you modify a scheduled search without the schedule_search capability, which would give them full add/change/delete of any scheduled search. Can anyone prove me wrong?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-30-2015 09:24 AM

I would turn the key part, or parts of the search into a search macro, and then give them broader access to change that macro without changing the search.

Be mindful of permissions and sharing on that macro of course, so that it's available to the scheduled search when the time comes, but this should work fine.

http://docs.splunk.com/Documentation/Splunk/6.2.5/Search/Usesearchmacros

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-30-2015 09:32 PM

I agree with @sideview; this can also be done with eventtypes (which are macro-tized base searches) if you do not have any pipes in your search.

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎09-30-2015 09:24 AM

I would turn the key part, or parts of the search into a search macro, and then give them broader access to change that macro without changing the search.

Be mindful of permissions and sharing on that macro of course, so that it's available to the scheduled search when the time comes, but this should work fine.

http://docs.splunk.com/Documentation/Splunk/6.2.5/Search/Usesearchmacros

0 Karma
Reply
Solved! Jump to solution

mlf
Path Finder
‎11-01-2015 05:18 PM

Not ideal, but probably the best work around available currently within Splunk itself. What I really need is

  1. Separate ability in the GUI for editing a saved search and the saved searche's schedule.
  2. The ability to assign capabilities to roles on a per app basis.

I'm actually thinking of throwing some custom code in front of the REST interface to handle this particular case outside of the Splunk GUI.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...