Splunk Enterprise Security

Splunk Enterprise Security: What role or capability is needed to enable the investigations functionality for users?


Some users reported that the investigations functionality is not available for them in the Enterprise Security app. What role/capability should I assign to them?

0 Karma

Splunk Employee
Splunk Employee

To create investigations, a user must be an ess_admin or have the edit_timeline capability. See
http://docs.splunk.com/Documentation/ES/4.1.1/Install/ConfigureUsersRoles to see how to add the capability.

If they can see investigations but can't view specific investigations, they would need to be added as a collaborator on that investigation.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!