What capabilities does a REST API only user need?

Path Finder

I want to create a user that can ONLY access Splunk via the REST API and run (potentially only saved) searches.

What are the minimum capabilities needed to login via REST and access saved searches? I know I need rest_properties_get but what is the bare minimum needed to login and search.

Path Finder

schedule_search is all you need from my experience

0 Karma


It's an old question, but i came though the same issue.
You have to enable "dispatch_rest_to_indexers" for the Role to query also Indexers rest api (like Storage or any other api inside Indexers side).

0 Karma


It took us awhile for Graphistry - search and rest_properties_get. You should verify, but that appears to preclude web login as desired as well.


It does not seem possible at the moment. (Tested on 6.3.3.) A new user, with only a role with no inheritance and no capabilities, can still log into the UI of Splunk.

What you can do is go through the permissions of each and every app (Apps > Manage Apps > "Permissions" on every one "visible") to disable. This won't disable logons to the UI but will render the UI effectively useless.

(Keep in mind that any field extractions and knowledge objects in a visible app will then not be available for you - so keep all knowledge objects in separate, non "visible" Technology Add-ons if you want your API-only user to be able to use them!)

0 Karma


In my environment the user role already had the following rest-related capabilities:

It turned out that this was not enough to allow a user to authenticate, I created a new role and found that just by adding a single capability the user was able to authenticate and use the API:

Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...