Hi,
I want to set role in Splunk such that user is restricted to only searching. NO admin privileges..
Manager>Roles
Role:
Capabilities:
search
Index:
muncher
Is only setting search enough under capabilities to restrict user to only searching for index muncher? Also if i want user to be able to create report/schedule search... will this capability allow that or I have to set additional capabilities.
get_typeahead? what exactly is this.. Does it autocomplete previously entered queries?
You may want to include the following two capabilities for the user as well...
rest_properties_get
get_metadata
The first will allow the user to login without getting an Authorization error (assuming you are using the default Splunk authentication system) and the second will show the data in the search summary page.
schedule_search is the capability you will want to add for users to schedule searches. The reporting functionality is already enabled with the search capability.
get_typeahead within Splunk returns typeahead on a specified prefix. This works as the auto-complete on previous searches and could potentially reveal sensitive information.
For more information on role capabilities, you may want to refer to the admin documentation located at http://www.splunk.com/base/Documentation/4.1.5/Admin/Addusersandassignroles#List_of_available_capabi...
You may want to include the following two capabilities for the user as well...
rest_properties_get
get_metadata
The first will allow the user to login without getting an Authorization error (assuming you are using the default Splunk authentication system) and the second will show the data in the search summary page.
schedule_search is the capability you will want to add for users to schedule searches. The reporting functionality is already enabled with the search capability.
get_typeahead within Splunk returns typeahead on a specified prefix. This works as the auto-complete on previous searches and could potentially reveal sensitive information.
For more information on role capabilities, you may want to refer to the admin documentation located at http://www.splunk.com/base/Documentation/4.1.5/Admin/Addusersandassignroles#List_of_available_capabi...
I know this post is a bit old, but I'm curious what you meant when you said get_typeahead "could potentially reveal sensitive information." Can you give me an example when this would expose sensitive information? I was under the impression that get_typeahead works by comparing your search syntax to those you've entered previously. If this is true, wouldn't get_typeahead only reveal already known information to the user?
Thanks
Jason