Splunk Enterprise

How to restrict users from export data via RestAPI, CLI ?

human96
Communicator

Hi splunkers,

i know how we can restrict users from export data in splunk web. 

Does anyone happens to know , how can we restrict users from export data via RestAPI, CLI ?

0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

If you don't want to allow them to export then you need to revoke their searching capability.

Because if they can search then Splunk doesn't have any control to stop them from exporting.

But anyways if you wish the user from running the search queries you can remove search capability from the role. (By default the role user has this capability.) - https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Rolesandcapabilities 

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

If you don't want to allow them to export then you need to revoke their searching capability.

Because if they can search then Splunk doesn't have any control to stop them from exporting.

But anyways if you wish the user from running the search queries you can remove search capability from the role. (By default the role user has this capability.) - https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Rolesandcapabilities 

human96
Communicator

Thanks for your response .

i have one more doubts.

Is it possible to set up a new port dedicated to API in splunk ?

if yes please tell me the process , Documentation would be appreciated.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

No, I don't think so. The API works on Splunk's management port 8089.

Because they both are actually the same thing. Splunk does all its management through API as well.

0 Karma

human96
Communicator

is there any best practices for running Splunk's API from an external system? 

Documentation would be appreciated.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

See if you can use SDK because that would be much easier and take care of most of the best practices.

https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/ 

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

export_results_is_visible capability in the answer.
(Basically it will hide the "Export Results" button on Splunk Web. - https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Rolesandcapabilities )

By default, this capability is available with the user role. So you need to create a new role similar to the user but then exclude this capability.

Or you can modify the default user role and remove this capability. (If you want this to happen to specific users, don't take this approach)

0 Karma

human96
Communicator

Thanks for your quick response.

As i already mentioned i know "export _ results _ is _ visible" role capability makes the restriction on SplunkWeb.

i just want to  restrict a specific user to export from RestAPI, CLI.

is it possible ?

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust
Sorry about misunderstanding the question. Posted a seperate response//
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...