Splunk Enterprise Security

Splunk Enterprise Security: What role or capability is needed to enable the investigations functionality for users?


Some users reported that the investigations functionality is not available for them in the Enterprise Security app. What role/capability should I assign to them?

0 Karma

Splunk Employee
Splunk Employee

To create investigations, a user must be an ess_admin or have the edit_timeline capability. See
http://docs.splunk.com/Documentation/ES/4.1.1/Install/ConfigureUsersRoles to see how to add the capability.

If they can see investigations but can't view specific investigations, they would need to be added as a collaborator on that investigation.

0 Karma

Splunk Employee
Splunk Employee

should not be assigning ess_admin role to users. It is a container role which is used just to give additional capabilities and inherited by admin (or sc_admin in splunk cloud) to be used for ES installation and upgrade tasks. It contains no ACLs


0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...