Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Assigning User Permissions to Update Forwarders

bteele
New Member
‎05-25-2018 07:06 AM

Is there a way to assign permissions to Splunk users that will allow them access to delete old forwarders from Forwarder Management and rebuild the forwarder assets under Monitoring Console, but not grant them full admin rights to the rest of the system? I'm looking to get granular on the admin permissions, as different shifts will be responsible for updating the forwarders list as servers are commed and decommed.

We're on Splunk Enterprise 7.0.2 with a distributed environment with a dedicated deployment server.

Tags (1)
0 Karma
Reply

adonio
Ultra Champion
‎05-25-2018 08:44 AM

hello there,

when you say "delete" from forwarder management, do you mean to remove the name of the forwarder that appears as down or not phoned home for a while?
as for the forwarders list under MC, not sure why manually do so as it updates every interval you set ...
can you elaborate a little on your use case and the drive behind it?

0 Karma
Reply

bteele
New Member
‎05-25-2018 08:55 AM

We have an alert that fires off every hour if any forwarders are "missing" ie not current (out of box "DMC Alert - Missing forwarders").

When a server is decommed in our environment, the client instance in Forwarder Management alerts as not having phoned home. We have to then go in and "delete" the entry in Forwarder Management, and then also rebuild the forwarder assets in Monitoring Console. If we don't do the latter, we continue to get the missing forwarders alert, even if it's been deleted from Forwarder Management.

What I'm looking for are the permissions required to manually complete these two tasks. If the "DMC Forwarder - Build Asset Table" report (which we have enabled) is supposed to clean up the table, then it's not working. If I don't get notified of a decomm, then the forwarder goes missing, and I have to log in to delete it and rebuild. I'm looking to give that ability to others as well.

If there's another functionality available that will automate the process, that'd be great, too. But our previous admin said it had to be done manually.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...