Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Assigning User Permissions to Update Forwarders

bteele
New Member
‎05-25-2018 07:06 AM

Is there a way to assign permissions to Splunk users that will allow them access to delete old forwarders from Forwarder Management and rebuild the forwarder assets under Monitoring Console, but not grant them full admin rights to the rest of the system? I'm looking to get granular on the admin permissions, as different shifts will be responsible for updating the forwarders list as servers are commed and decommed.

We're on Splunk Enterprise 7.0.2 with a distributed environment with a dedicated deployment server.

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎05-25-2018 08:44 AM

hello there,

when you say "delete" from forwarder management, do you mean to remove the name of the forwarder that appears as down or not phoned home for a while?
as for the forwarders list under MC, not sure why manually do so as it updates every interval you set ...
can you elaborate a little on your use case and the drive behind it?

0 Karma
Reply

bteele
New Member
‎05-25-2018 08:55 AM

We have an alert that fires off every hour if any forwarders are "missing" ie not current (out of box "DMC Alert - Missing forwarders").

When a server is decommed in our environment, the client instance in Forwarder Management alerts as not having phoned home. We have to then go in and "delete" the entry in Forwarder Management, and then also rebuild the forwarder assets in Monitoring Console. If we don't do the latter, we continue to get the missing forwarders alert, even if it's been deleted from Forwarder Management.

What I'm looking for are the permissions required to manually complete these two tasks. If the "DMC Forwarder - Build Asset Table" report (which we have enabled) is supposed to clean up the table, then it's not working. If I don't get notified of a decomm, then the forwarder goes missing, and I have to log in to delete it and rebuild. I'm looking to give that ability to others as well.

If there's another functionality available that will automate the process, that'd be great, too. But our previous admin said it had to be done manually.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...