Splunk Search

SPL | REST command does not work when non-Admin

simpkins1958
Contributor

User with these capabilities fails, but ADMIN user works.

alt textThis SPL works fine when logged in as ADMIN, but does not work when logged in as a poweruser account. What capabilities do I need to turn on for user when not ADMIN?

| rest splunk_server=local /services/authentication/httpauth-tokens
| search NOT userName="splunk-system-user"
| eval _time = strptime(timeAccessed, "%c")
| rename userName AS user
| table _time user

Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/authentication/httpauth-tokens?count=0 from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API.

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@simpkins1958 ,

For the specific rest endpoint you are using, you should add list_httpauths in addition to the rest_properties_get

Details in : https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Rolesandcapabilities

Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@simpkins1958 ,

For the specific rest endpoint you are using, you should add list_httpauths in addition to the rest_properties_get

Details in : https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Rolesandcapabilities

Happy Splunking!
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@simpkins1958 ,

rest_properties_get should be enough if you want to use GET

Reference : https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Rolesandcapabilities

Happy Splunking!
0 Karma

simpkins1958
Contributor

rest_properties_get has been enabled and still not working.

0 Karma

anwarmian
Communicator

If you provide all the capabilities to a user level role it still won't work.  I gave all the capabilites--I mean all still the user didn't have | rest splunk_server=local /services/authentication/ capabilities.  Only the Admin role has.

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...