Hi splunkers,
i know how we can restrict users from export data in splunk web.
Does anyone happens to know , how can we restrict users from export data via RestAPI, CLI ?
If you don't want to allow them to export then you need to revoke their searching capability.
Because if they can search then Splunk doesn't have any control to stop them from exporting.
But anyways if you wish the user from running the search queries you can remove search capability from the role. (By default the role user has this capability.) - https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Rolesandcapabilities
View solution in original post
Thanks for your response .
i have one more doubts.
Is it possible to set up a new port dedicated to API in splunk ?
if yes please tell me the process , Documentation would be appreciated.
No, I don't think so. The API works on Splunk's management port 8089.
Because they both are actually the same thing. Splunk does all its management through API as well.
is there any best practices for running Splunk's API from an external system?
Documentation would be appreciated.
See if you can use SDK because that would be much easier and take care of most of the best practices.
- https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/
export_results_is_visible capability in the answer.(Basically it will hide the "Export Results" button on Splunk Web. - https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Rolesandcapabilities )
By default, this capability is available with the user role. So you need to create a new role similar to the user but then exclude this capability.
Or you can modify the default user role and remove this capability. (If you want this to happen to specific users, don't take this approach)
Thanks for your quick response.
As i already mentioned i know "export _ results _ is _ visible" role capability makes the restriction on SplunkWeb.
i just want to restrict a specific user to export from RestAPI, CLI.
is it possible ?
