Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- What capabilities does my Splunk 9.2 user need to ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am creating a script that uses the CLI to create/delete Splunk roles. So far, I have been successful with creating them in the script when I use the admin user.
However, my CISO says that I can't use the Splunk admin user and I need to create a Splunk User (and a Splunk Role) that can create and delete indexes.
I have tried adding the indexes_edit capability and when I tried doing the delete as my user, Splunk said that I needed to have the list_inputs capability. i have also tried adding access to all indexes.
I am using this document at the moment for my guidance, but it is rather light on detail:
https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities
The command that i am running is:
curl -k -u editor-user:MyPasword1 https://localhost:8089/servicesNS/admin/myapp/data/indexes -d name=newindex
I get the following:
<response>
<messages>
<msg type="ERROR">Action forbidden.</msg>
</messages>
</response>
This command succeeds if I use the admin user, but not with my editor user.
The current capabilities that I have to my existing editor role are:
[role_editor]
admin_all_objects = disabled
edit_roles = enabled
indexes_edit = enabled
list_inputs = enabled
srchIndexesAllowed = *
srchMaxTime = 8640000
srchTimeEarliest = -1
srchTimeWin = -1
Does anyone know what extra capabilities I need, please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed it!
It was not the capabilities that were at fault, it was the curl command. the documentation says to use the following to create an index:
curl -k -u editor-user:MyPasword1 https://localhost:8089/servicesNS/admin/myapp/data/indexes -d name=newindexThe REST API call is asking to make changes in the admin namespace, but the indexes are in the nobody namespace, so I needed to change it to be this and then it worked:
curl -k -u editor-user:MyPasword1 https://localhost:8089/servicesNS/nobody/myapp/data/indexes -d name=newindex- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed it!
It was not the capabilities that were at fault, it was the curl command. the documentation says to use the following to create an index:
curl -k -u editor-user:MyPasword1 https://localhost:8089/servicesNS/admin/myapp/data/indexes -d name=newindexThe REST API call is asking to make changes in the admin namespace, but the indexes are in the nobody namespace, so I needed to change it to be this and then it worked:
curl -k -u editor-user:MyPasword1 https://localhost:8089/servicesNS/nobody/myapp/data/indexes -d name=newindex
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
