Why is Splunk Web limited to 50 users when using Scripted Authentication Input for RSA & TFTI?


I am using TFTI agent with a splunk script to get user authentication. I use the "" file to map the user requesting access through the TFTI client to the role the user is assigned to have. I am using the "passwd" file to map the user to the display name. I have changed the file to look for the passwd file in ~/etc/system/local and to get the user info like this.

def getUsers( infoIn 😞
# just going to use /etc/passwd here but you may use any method you wish.
FILE = open("/opt/splunk/etc/system/local/passwd" ,"r")
fileLines = FILE.readlines()

All is working fine and only authenticated users that are in the file are granted access and are restricted to there role.

Here is my problem. Only the first 50 users show up in the Splunk Web as scripted users and only the first 50 users can see their saved reports/alerts/dashboards.

The users can save the work and call it with the link but they can not select it or see it in the Splunk Web.

Any help would be great

We started using scripted authentication in 4.1 and are now at 6.5
I don't know when this limitation was introduced.

Any ideas help would be greatly appreciated.


Users private knowledge objects should be stored under /opt/splunk/etc/users/ directory.
If Splunk Web does not seem to be able to list some users and their knowledge objects, it could indicate an issue at this level?
Are you able to check if that directory exists on the filesystem for one of the user that is subject to the problem?

Taking a saved search for example (still for one user with the problem), can you find in which configuration file it is residing using btool:

/opt/splunk/bin ./splunk btool --debug savedsearches list "<savedsearch>"

Another idea could be to run a the following SPL rest:

| rest /services/authentication/users

Eventually you could get an error message that could help find the issue.

Finally I would suggest searching _internal logs for errors. Users and saved searches panels are populated using rest api calls, so you may see errors in there that could help too.

A last one, if possible: temporarily remove one of the 50 first users and see if user 51 (now 50) behaves properly.

0 Karma


According your situation, I guess is the user-limit in splunk web ?
I have searched the splunk doc to find some instructions about the user's number setting.

  1. [limit.comf], [typeahead] max_concurrent_per_user =
  2. The maximum number of concurrent typeahead searches per user. Once this maximum is reached only cached typeahead results might be available
  3. Default: 3
  4. There is no user's number limit issue in splunk I guess. Maybe you can check the capability betweeen the TFTI and splunk 6.5 service

Hope well.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...