Splunk Search

SPL | REST command does not work when non-Admin

Contributor

User with these capabilities fails, but ADMIN user works.

alt textThis SPL works fine when logged in as ADMIN, but does not work when logged in as a poweruser account. What capabilities do I need to turn on for user when not ADMIN?

| rest splunk_server=local /services/authentication/httpauth-tokens
| search NOT userName="splunk-system-user"
| eval _time = strptime(timeAccessed, "%c")
| rename userName AS user
| table _time user

Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/authentication/httpauth-tokens?count=0 from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@simpkins1958 ,

For the specific rest endpoint you are using, you should add list_httpauths in addition to the rest_properties_get

Details in : https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Rolesandcapabilities

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@simpkins1958 ,

For the specific rest endpoint you are using, you should add list_httpauths in addition to the rest_properties_get

Details in : https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Rolesandcapabilities

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@simpkins1958 ,

rest_properties_get should be enough if you want to use GET

Reference : https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Rolesandcapabilities

0 Karma

Contributor

rest_properties_get has been enabled and still not working.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!