After some reading https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities Followed by experimenting and testing... The current platform versions provide a capability called edit_upload_and_index which is defined as “Lets the user use the indexing preview feature when creating inputs in Splunk Web” This sounds highly promising, however granting that capability alone does not enable the Add Data Button in the settings menu.. In order to present the option to a standard user, additionally the edit_tcp_stream capability is also required – this is not immediately obvious, because the name of the capability masks the documented definition: “Lets the user send data to the the /services/receivers/stream REST endpoint.”   I suspect that this second permission has the side effect of granting access to the relevant rest API which allows the /manager/<app>/adddata button to be added to the settings menu. These two permissions allow the Upload Data option to function, and whilst the option is also presented for other monitor types, the UI throws a (partial) 404 and prevents the user from adding anything more exotic. It is not clear to me if this is an expected combination of permissions Splunk intends you to grant (in which case, I will submit a documentation update suggestion) or if the edit_upload_and_index capability is intended to facilitate the outcome on its own. TLDR: To enable a non-admin user to upload files via the UI (in at least Splunk versions greater than 9.3), grant the edit_upload_and_index AND edit_tcp_stream capability to the users role.   ... View more

Solution Use the latest version of the Splunk release train. Upgrading to the latest version of the destination version will mitigate this issue. The Splunk documentation (https://docs.splunk.com/Documentation/Splunk/8.2.4/Installation/HowtoupgradeSplunk) Suggests that to upgrade to the latest version, for 7.3.x starting points you need to migrate to a 8.0.x or 8.1.x version. In reality this is slightly more nuanced as there are specific version incompatibilities that need to be considered. As a general rule, when performing updates, you should select the latest version of the release, even if this is an intermediate step to an eventual target version.  7.3.9 > 8.1.72 > 8.2.4  (latest versions at date of this post)   ... View more

Where are you seeing this? Inside the web datamodel? In which case, the action field should look like this (see attached) If you really want to include that additional logic into the datamodel (which I am reluctant to advise) you will need to change it to a "case" statement, you cant just layer up additional "if()"s.   case(action="File quarantined","blocked", isnull(action) OR action="","unknown", 1=1, action)   ... View more