Security

Multiple Splunk roles with default App set - how is the default App chosen and is there a way to set precedence?

Engager

I have a team that uses multiple apps in Splunk. They have seperate LDAP groups that are given seperate Splunk roles . In these roles, they have the default app set. Here's a simplified case:

  1. Foo_ad maps to Foo_role with Foo_app set as the default App
  2. Bar_ad maps to Bar_role with Bar_app set as the default App

Is there a way to set the precedence of which app is chosen as the default App? I can't determine what happens when a user is given both of these roles. Is there a way to make it so if they have both then default to what Foo_role says?

Builder

Whichever last you'll set up will get precedence.

0 Karma

Path Finder

This thread is pretty old and I'm not sure if necroing is a thing here but I also had this question after an app in our prod environment decide to take control so I did some testing in my dev environment and I found it to be alphabetical.

So in this case Bar_app would be the default for anyone who has both and would need to manually be set in Access controls >> Users if you wanted it to be Foo_app. I'm not aware of any way to override this elsewhere.

0 Karma

Ultra Champion

yannK [Splunk] spoke about the issue at Set Default App by Role?

He said -

-- it's in defined in the role as "default app" in manager > access controls > Roles > ....
And can be overwritten by the users in their own user preferences.
I do not know who win in case of roles inheritance, or users members of multiple roles.

0 Karma