Splunk Search

Which permission do I need to share sourcetype with users?

test2001
Observer

Hey everyone and I hope your having a great day!

I have configured a custom field extraction in the Splunk search app for my sourcetype but I don't have the possibility to share them with other users like I can do with another Splunk instance where I have the role Power (With Power role, I can share it no problem).

I don't want to assign myself the Power role since it's broad and wouldn't follow the rule of least privilege. For this reason which permission would I need to assign myself in order to be able to share my data extraction with other users?

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @test2001,

when you create a knowledge object (like a field) and share it (at App or Global level) you have to define the permissions for each role of your Splunk, at this moment you can give the permissions you need using the active roles of your Splunk.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...