Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- What capabilities does my Splunk 9.2 user need to ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am creating a script that uses the CLI to create/delete Splunk roles. So far, I have been successful with creating them in the script when I use the admin user.
However, my CISO says that I can't use the Splunk admin user and I need to create a Splunk User (and a Splunk Role) that can create and delete indexes.
I have tried adding the indexes_edit capability and when I tried doing the delete as my user, Splunk said that I needed to have the list_inputs capability. i have also tried adding access to all indexes.
I am using this document at the moment for my guidance, but it is rather light on detail:
https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities
The command that i am running is:
curl -k -u editor-user:MyPasword1 https://localhost:8089/servicesNS/admin/myapp/data/indexes -d name=newindex
I get the following:
<response>
<messages>
<msg type="ERROR">Action forbidden.</msg>
</messages>
</response>
This command succeeds if I use the admin user, but not with my editor user.
The current capabilities that I have to my existing editor role are:
[role_editor]
admin_all_objects = disabled
edit_roles = enabled
indexes_edit = enabled
list_inputs = enabled
srchIndexesAllowed = *
srchMaxTime = 8640000
srchTimeEarliest = -1
srchTimeWin = -1
Does anyone know what extra capabilities I need, please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed it!
It was not the capabilities that were at fault, it was the curl command. the documentation says to use the following to create an index:
curl -k -u editor-user:MyPasword1 https://localhost:8089/servicesNS/admin/myapp/data/indexes -d name=newindexThe REST API call is asking to make changes in the admin namespace, but the indexes are in the nobody namespace, so I needed to change it to be this and then it worked:
curl -k -u editor-user:MyPasword1 https://localhost:8089/servicesNS/nobody/myapp/data/indexes -d name=newindex- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed it!
It was not the capabilities that were at fault, it was the curl command. the documentation says to use the following to create an index:
curl -k -u editor-user:MyPasword1 https://localhost:8089/servicesNS/admin/myapp/data/indexes -d name=newindexThe REST API call is asking to make changes in the admin namespace, but the indexes are in the nobody namespace, so I needed to change it to be this and then it worked:
curl -k -u editor-user:MyPasword1 https://localhost:8089/servicesNS/nobody/myapp/data/indexes -d name=newindex
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
