Splunk Search

SPL | REST command does not work when non-Admin

simpkins1958
Contributor

User with these capabilities fails, but ADMIN user works.

alt textThis SPL works fine when logged in as ADMIN, but does not work when logged in as a poweruser account. What capabilities do I need to turn on for user when not ADMIN?

| rest splunk_server=local /services/authentication/httpauth-tokens
| search NOT userName="splunk-system-user"
| eval _time = strptime(timeAccessed, "%c")
| rename userName AS user
| table _time user

Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/authentication/httpauth-tokens?count=0 from server https://127.0.0.1:8089. Check that the URI path provided exists in the REST API.

0 Karma
1 Solution

renjith_nair
Legend

@simpkins1958 ,

For the specific rest endpoint you are using, you should add list_httpauths in addition to the rest_properties_get

Details in : https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Rolesandcapabilities

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

@simpkins1958 ,

For the specific rest endpoint you are using, you should add list_httpauths in addition to the rest_properties_get

Details in : https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Rolesandcapabilities

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

renjith_nair
Legend

@simpkins1958 ,

rest_properties_get should be enough if you want to use GET

Reference : https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/Rolesandcapabilities

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

simpkins1958
Contributor

rest_properties_get has been enabled and still not working.

0 Karma

anwarmian
Communicator

If you provide all the capabilities to a user level role it still won't work.  I gave all the capabilites--I mean all still the user didn't have | rest splunk_server=local /services/authentication/ capabilities.  Only the Admin role has.

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...