Capabilities

Capabilities

Splunk comes pre-configured with all the capabilities you need to run the software. For a list of Splunk's built-in capabilities, see Splunk:preview:AuthorizeConf:latest.

Note: this list is under flux. Capabilities may change frequently during the development process.

Add a capability

You may wish to add your own capability. Currently, the only capabilities you can add are to run scripts you have created and placed in $SPLUNK_HOME/bin.

To add a capability to authorize.conf:

• Create your own authorize.conf file in $SPLUNK_HOME/etc/bundles/local (or your own bundle directory).
• Add a capability::$CAPABILITY tag to the beginning of the file.
  • $CAPABILITY
  • For a script, this is run_script_$SCRIPT

Example

We have created the script loglady.py and copied it into $SPLUNK_HOME/bin.

To add a capability to run this script, add the following line to the top of $SPLUNK_HOME/etc/bundles/local/authorize.conf:

capability::run_script_loglady

Note: leave off the suffix of the script when setting up your capability.

Now, add the capability to whatever role you want:

[role_Ninja]
run_script_loglady  = enabled
edit_input                = enabled
delete_input              = enabled
edit_global_save_search   = enabled
delete_global_save_search = enabled
create_alert              = enabled
start_alert               = enabled
start_global_alert        = enabled
stop_alert                = enabled
stop_global_alert         = enabled
save_local_eventtype      = enabled
edit_role_search          = enabled
edit_local_search         = enabled
edit_saved_search         = enabled
savesearch_tab            = enabled
allow_livetail            = enabled
importRoles = Security;Compliance
srchFilter = host=swan OR host=pearl

• Was this topic useful?
• Post a comment