Re: Restrict a user's ability to write to indexes

w531t4 · ‎03-25-2014

All - A user brought an issue to my attention today that i can't find a solution to. This user currently has the need to search through hypothetical index=a and index=b. He showed me that he could use the following command to write results to index=a or index=b:

index=b whateverfilter=true | head 2 | collect index=a marker="report=testing123" testmode=false

I have confirmed his write to the index to be successful. Although i'm able to easily identify the events he wrote to the index by searching for sourcetype=stash, the fact that he can write to the index is a pretty big no-no for us.

One post (http://answers.splunk.com/answers/7565/summary-index-question) suggested using local.meta to limit read's/write's to the index, however it doesn't appear to work.

Does anyone know how i can restrict a user's ability to write events to an index??

update: The user who brought this to my attention has the equivalent permissions to the default 'User' role.
update2: I'm running Splunk Enterprise 5.0.6

alanden_splunk · ‎06-04-2018

Do not give the [capability::indexes_edit] permission in authorize.conf

sbrant_splunk · ‎06-04-2018

"indexes_edit" is for the ability to modify the properties of the index. It doesn't change the ability to write data to an index.

from the docs at http://docs.splunk.com/Documentation/Splunk/7.1.1/Security/Rolesandcapabilities

"indexes_edit Lets the user change any index settings such as file size and memory limits. "

alanden_splunk · ‎06-04-2018

Normally, that is my instinct as well, but I can tell you that only a few hours ago I saw a user account for a customer denied permission to use the collect command until after the customer reported giving the indexes_edit capability. After which time, the collect command worked perfectly. So I can report that after the customer reported giving that capability and doing nothing else, I saw the collect command become functional for the user. I will verify that I understood their report correctly, but I am 99% sure at this point.

splunkIT · ‎03-16-2018

There is currently an outstanding ER for it:
SPL-133287: ability to specify an index as read-only

yannK · ‎04-04-2014

I confirm, I tested and the permissions change on[commands/pycollect] or [commands/collect] are not preventing an user to use the command.
Adding an option to Disable this command will be a new feature request.

yannK · ‎03-26-2014

They are 2 methods to write in a summary index :

search with the " | collect" command
- quick method to disable the collect : change the permissions on the the "collect" command, to allow only power or admin roles to use it, [EDIT] first method not working
scheduled search with the option "summary"
- For scheduled summary populating searches, they are already limited to power users (regular users cannot schedule a search by default), you may want to verify the the role capabilities see "schedule_search" http://docs.splunk.com/Documentation/Splunk/6.0.2/Security/Rolesandcapabilities

w531t4 · ‎04-04-2014

'collect' is not listed as a search command in the search app. There's pycollect and pystash. I've made those read/write admin only and i'm still able to use the collect command as a under-priveldged user

yannK · ‎03-26-2014

in the UI go to settings > Advanced search > Search commands
filter for the search app, and search for "collect"
then change permissions based on role.

w531t4 · ‎03-26-2014

I like your comment about disabling collect.. how is this done?

Restrict a user's ability to write to indexes

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation