Users and Splunks
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Users and Splunks
Manage user accounts
Web interface
To create a user go to the Admin section, select the Users tab, and click New User. Fill in each of the fields with the appropriate value.
Splunk usernames are only available if you have a Splunk Professional license. Users have three different roles: User, Power and Admin.
- Username & Password - You can include spaces and international characters in usernames and passwords.
- Full Name - This is the name that will be displayed for the user, but not used for login.
- Role - Splunk has three levels of user accounts.
- User: Regular users can search any index, and create Saved Splunks for themselves.
- Power: Power users can create both Saved Splunks and Live Splunks, and share them so they show up on all users' menus. They can also tag event types and hosts, and edit source type names.
- Admin: Admins can edit server settings, user accounts, data inputs, licenses and Splunk-2-Splunk configuration.
Command line interface
- Create a user:
# splunk add user -username John -full-name "John Doe" -password 123456 -role user -auth admin:changeme
- Delete a user:
# splunk remove user -username John -auth admin:changeme
- Export user accounts (see note below):
# splunk export userdata -dir /tmp/userdata -auth admin:changeme
- Import user accounts (see note below):
# splunk import userdata -dir /tmp/userdata/ -auth admin:changeme
Export / Import
To migrate user accounts across servers, you must also copy the file splunk.secret that contains authentication and authorization information. Depending on the version of Splunk Server, this file is located in one of these two files:
- /opt/splunk/etc/splunk.secret (v 2.0)
- /opt/splunk/etc/auth/splunk.secret (v 2.1)
You must copy splunk.secret to the target servers as well as importing the user data.
The example below would transfer 2.0 user accounts from a server installed in /opt/splunk-2.0.15 to a 2.1 server installed in /opt/splunk-2.1:
# /opt/splunk-2.0.15/bin/splunk export userdata -dir /tmp/userdata -auth admin:changeme
# cp /opt/splunk-2.0.15/etc/splunk.secret /opt/splunk-2.1/etc/auth/splunk.secret
# /opt/splunk-2.1/bin/splunk import userdata -dir /tmp/userdata/ -auth admin:changeme
This process will be simplified in a future release.
Config files
User accounts are stored in a SQLite database. There's no easy way to import and export them via configuration files.
Manage Saved Splunks
Web interface
In the search box enter the desired search term(s) and have Splunk return results. Once you are satisifed with the results that returned:
- Click the Splunks link above the search box
- In the expanded drop-down select Save
- Specify a name for the saved splunk. This is the name that you will specify when using the savedsplunk:: operator
Command line interface
- Create a saved splunk:
# splunk add savedsplunk -name everything -terms "meta::all" -shared true -auth admin:changeme
- Edit a saved splunk:
# splunk edit savedsplunk -name everything -shared false -auth admin:changeme
- Remove a saved splunk:
# splunk remove savedsplunk -name everything -auth admin:changeme
Config files
$SPLUNK_HOME/etc/bundles/local/savedsplunks.conf
Saved Splunks are configured in the same format as data inputs and properties. Below is an example Saved Splunk called find-everything.
[find-everything] id = 10 isglobal = 1 query = <query><keys><key>meta::all</key></keys></query> name = find-everything userid = 1
This file can be copied to another bundles directory on another Splunk instances. However, if the Splunk was created by a user other than admin, that user account and corresponding user id need to exist on the target Splunk instance. Import the user data using the splunk import command documented above. Alternatively, you can change all of the user ids to 1, the userid of the admin account.
This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.