Admin Manual

 


Welcome to Splunk administration

About users and roles

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

About users and roles

If you're running Splunk Enterprise, you can create users with passwords and assign them to roles you have created. Splunk Free does not support user authentication.

Splunk comes with a single default user, the admin user. The default password for the admin user is changeme. As the password implies, you should change this password immediately upon installing Splunk.

About roles

A role contains a set of capabilities. For example, whether or not someone is allowed to add inputs or edit saved searches. The various capabilities are listed in "Add and edit roles" and in $SPLUNK_HOME/etc/system/README/authorize.conf.spec. Once a role exists, you can assign users to that role.

Additionally, whenever you create a user, you can automatically create a role for that user.

By default, Splunk comes with the following roles predefined:

  • admin -- this role has the most capabilities assigned to it.
  • power -- this role can edit all shared objects (saved searches, etc) and alerts, tag events, and other similar tasks.
  • user -- this role can create and edit its own saved searches, run searches, edit its own preferences, create and edit event types, and other similar tasks.

Disallowed characters

Usernames stored in Splunk's local authentication cannot contain spaces, colons, or forward slashes.

Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes.

Find existing users and roles

To locate an existing user or role in Manager, use the Search bar at the top of the Users or Roles page in the Access Controls section of Splunk Manager. Wildcards are supported. Splunk searches for the string you enter in all available fields by default. To search a particular field, specify that field. For example, to search only email addresses, type "email=<email address or address fragment>:, or to search only the "Full name" field, type "realname=<name or name fragment>. To search for users in a given role, use "roles=".

Search bar.jpg

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


Comments

Topic is useful however, consider posting or adding to this document the appropriate link to a training video on the subject.

Olopez77
June 25, 2010

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!