Splunk® Enterprise

Securing Splunk Enterprise

Create and manage roles with Splunk Web

On the Splunk platform, as an administrator, you can assign roles to users. These roles determine the level of access that those users have to the platform and the tasks that they can perform on the platform. comes with a set of default roles, and you can also create your own custom roles that you can tailor to the needs of your organization.

Roles can contain one or more capabilities that provide access to specific parts of the Splunk platform. A user that holds a role receives all of the capabilities that come with the role. Additionally, roles can inherit capabilities from other roles.

You can use roles for the following security-related tasks:

  • To restrict the scope of searches.
  • To inherit capabilities and available indexes from other roles.
  • To specify user capabilities.
  • To set the default index or indexes that a user is to search when they do not specify an index in their search command.
  • To specify which indexes that a user can search.

Do not edit any predefined roles to remove capabilities from them. The sc_admin role does not have enough permission to restore some of the capabilities you remove. Instead of deleting or editing the predefined roles, create custom roles that inherit from the predefined roles, and use and edit the custom roles as you need.

For more information about capabilities in user roles, see About defining roles with capabilities and List of capabilities

Manage role inheritance, searched indexes, restrictions, and available search resources

You use the "Roles" page in Splunk Web to create, manage, and delete roles. When you perform role management, you can modify the following role properties:

  • You can manage role inheritance. See "Specify role inheritance" later in this topic.
  • You can manage the indexes that a role has available to it, as well as which indexes the Splunk platform searches by default. See "Specify searchable indexes for a role" later in this topic.
  • You can apply a search filter to further limit search results. You can either specify the filter manually or use the search filter generator - a wizard that lets you build and populate the filter by using indexed fields and values found in those indexes. See "Specify search restrictions for a role" later in this topic.
  • You can control resource usage on the platform in several ways. See "Specify default app and search limits for a role" later in this topic:
    • You can limit disk space usage for search artifacts.
    • You can limit the number of searches that the role as a whole can run, and the number of searches that users who hold the role can run individually
    • You can specify the earliest time that a search can return results, which means you can limit results by the age of the data
    • You can limit searches to return results in a specific time window.

While you can have any role inherit from any other role, custom roles that inherit from the admin or power users roles do not automatically inherit administrator-level access to the instance. You must grant that access specifically.

Add or edit a role

Create or edit roles for your instance on the Roles page in Settings.

  1. Click Settings > Roles.
  2. Click New Role to create a new role, or click an existing role to edit it.
  3. Enter a name for your role.

    Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.

  4. Make adjustments to role settings by editing configurations in any of the tabs in this dialog box.
  5. After you have made the configuration changes that you want, click Save to save the role.

The only required element of a role is its name. You do not have to complete any of the following tabs to save a role.

Specify role inheritance

Use the 1. Inheritance tab to add or change the inheritance of existing roles.

  1. Click 1. Inheritance to display the contents of the Inheritance tab.
  2. (Optional) In the Role Name text box, type in characters to display roles whose names contain those characters.
  3. (Optional) Click the All column header to select from a menu of display options for roles: "Show selected", "Show unselected", or "Show all".
  4. (Optional) Click the checkbox next to an existing role from which you want this role to inherit. You can click multiple checkboxes, or select all existing roles by clicking the checkbox in the column header.

Specify role capabilities

Use the 2. Capabilities tab to add or change the capabilities that this role holds.

  1. Click 2. Capabilities to display the contents of the Capabilities tab.
  2. (Optional) In the Capability Name field, type in a string to display capability names that contain the string.
  3. (Optional) Click the All column header to select from a menu of display options for capabilities: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
  4. Click the checkbox next to the capabilities that you want to assign to this role.
  5. Click Save.

    Capabilities that the current role has inherited from other roles appear as grayed out and selected. You cannot deselect capabilities that come with inherited roles.

Specify searchable indexes for a role

Use the 3. Indexes tab to choose the indexes that the role can search, and which ones it should search by default.

You can specify both event and metric indexes. You can also specify wildcards that match more than one index. If a user with the role runs a metrics search without a specified index, the search includes results from the default metrics indexes that you assign to the role. You must select at least one index with data here if you want to be able to use the SPL Search Filter generator in the 4. Restrictions tab.

Wildcards let you specify all indexes that match the text you enter. For example, if you specify a wildcard of "index_us*," it captures all existing indexes that begin with index_us. Wildcards that you create appear in the Indexes table in alphabetical order, as selected and default indexes.

You can create multiple wildcards, but they only apply to the current role. You cannot transfer wildcards to other roles; instead you must explicitly create the same wildcard by editing the roles and adding the wildcards there. To delete a wildcard from a role, confirm that the wildcard is neither a selected nor a default index, and save the role.

  1. Click 3. Indexes to display the contents of the Indexes tab.
  2. (Optional) In the Wildcards section, enter a string that contains the * character and specifies the group of indexes you want to search, then click Create.

    You can repeat this action to add more wildcards. If a wildcard already exists, Splunk Web advises you.

  3. (Optional) In the Index Name field, type in a string to display index names that begin with that string.
  4. (Optional) Click the All column header to select from a menu of display options for indexes: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
  5. Click the Included checkbox for an index to include search results from that index for this role.
  6. Click the Default checkbox for an index to include search results from that index when a user that holds this role does not specify an index in their search.

    Indexes from inherited roles appear as grayed out and selected. You cannot deselect indexes that come with inherited roles.

Specify search restrictions for a role

Use the 4. Restrictions tab to limit the scope of search results that return when users with the role run searches. The search filter combines with the base search that users with the role run, based on several factors. The search job returns only the results that arise from the combined search.

For more information on valid syntax to use with the search filter, see "SPL search filter syntax" later in this topic.

  1. Click 4. Restrictions to display the contents of the Restrictions tab.
  2. In the SPL Search filter field, type in a valid SPL string that combines with any base search that a user with this role runs.
  3. (Optional) Use the Search filter SPL generator to create a search filter.
    1. In the Indexed fields and values time range drop down list, choose a time range to search for indexed fields and their associated values.

      For these controls to work, you must have selected at least one index with data in the Indexes tab. Changing the default time of 60 seconds can increase the amount of time it takes to populate the Indexed Fields and Values text boxes, but might be necessary to retrieve a comprehensive list of indexed fields.

    2. In the "Indexed fields" text box, do one of the following:
      1. Click on the text box to display a drop-down list box that contains the most common indexed fields that were found, based on the indexes you have selected in the 3. Indexes tab and the time that you specified in the "Indexed fields and values time range" setting. The |walklex search command populates this field.
      2. Enter the name of an indexed field.

      If you select an indexed field that is already present in the SPL search filter, Splunk Web displays a message about possible SPL collisions. Review the filter to confirm that there are no unintended conflicts.

    3. In the "Values" text box, do one of the following:
      1. Click on the text box to display a drop-down list box that shows the top 250 indexed field values that were found, in lexical order, based on the fields you selected in the "Indexed fields" text box.
      2. Enter a custom field value directly. You can also use wildcards.
    4. Use the Concatenation option drop-down list box to determine how the SPL generator adds SPL text that it generates to any existing text in the SPL search filter.
      1. Choose "AND" to add the generated SPL prepended with the AND keyword
      2. Choose "OR" to add the generated SPL prepended with the OR keyword.
      3. Choose "NOT" to add the generated SPL prepended with the NOT keyword.

      If the search filter does not have any text in it, the "Concatenation option" drop-down list box is disabled.

    5. Review the SPL that the SPL generator proposes adding to the SPL search filter.
    6. If you are satisfied with the SPL that has been generated, click Add to SPL search filter. The SPL generator updates the SPL search filter text box with the generated text. If there is already text in the filter text box, the SPL generator appends the generated text. Depending on the concatenation option you chose, the SPL generator adds the text after the "AND", "OR", or "NOT" keyword.
    7. (Optional) If you do not like the SPL that you generated with the SPL generator, you can remove the text that you added by clicking Reset.
    8. (Optional) If you want to see how the search filter can affect search results before you apply it, click Preview search filter results. This action opens a new Search page that shows the results of a search with the current search filter.
    9. The search preview results are an example of what a user with this role might see. Several factors can alter the actual results from what the preview shows.

      The preview makes the assumption that the user holds only this role. While it includes results from inherited indexes, it does not include any search filters that might exist in inherited roles.

      If, on Splunk Enterprise, you have configured the instance so that search filters for a role eliminate, rather than select results, actual results might be the opposite of what you see in the preview. The srchFilterSelecting setting in the authorize.conf configuration file controls whether search filters select or eliminate results. The srchFilterSelecting setting is true by default, which means that search filters select the results that the user can see. A false value configures search filters to eliminate results.

Specify default app and search-related limits for a role

In the 5. Resources tab, you can control the default app that a user with this role sees when they log into the Splunk platform. You can also control various search job characteristics and limits, including but not limited to the earliest time that a search can return results.

  1. (Optional) In the Default app dropdown, select the default Splunk app that appears when a user that holds this role logs in.
  2. (Optional) In the Role search job limit section, enter the maximum number of standard searches that this role can run at a time in the Standard search job limit text box.

    To remove search limits, you can enter 0 in this and other search limit text boxes.

  3. (Optional) Enter the maximum number of real-time searches that a user with this role can run at a time in the Real-time search job limit text box.
  4. (Optional) In the User search job limit section, enter the maximum number of standard searches that users can run at a time in the Standard search job limit text box.
  5. (Optional) In the Role search time window limit section, select a standard search maximum time range for this role. Click the drop-down list box to choose a value:
    Setting Description Can inherited roles override this setting?
    Unset Historical searches run by this role do not have a time range limit. Yes
    Infinite Historical searches run by this role do not have a time range limit. No
    Custom time Exposes a text box where you can define a maximum time range in seconds for historical searches run by this role. Yes

    The Splunk platform applies custom time range limits backwards from the latest time that you specify for a search.

    If a user has multiple roles with custom time range limits, or has roles that inherit from roles with custom time range limits, the Splunk platform applies the least restrictive search time range limits to the role. For example, if you have a user named 'Blue' who has role A with a custom time of 30 seconds, role B with a custom time of 60 seconds, and role C with a custom time of 3600 seconds. Blue would get the maximum search time range of 3600 seconds, or 1 hour.

    This setting does not apply to real-time searches.

  6. (Optional) Also in the Role search time window limit section, select the earliest time that the Splunk platform can return results for a search for this role.

    When you use this field, the platform returns only the events whose timestamp is between the number of seconds you specify here, and the current time.

    The available settings and options for the earliest-time search input field are identical to those that are in the search time range input field. See the previous step in this procedure.
  7. (Optional) In the Disk space limit section, enter the amount of disk space that search jobs for this role can take up at a given time in the Standard search limit text box.

Save changes to role configurations

You must save changes to role configurations, including search time restrictions, and restart the Splunk platform before those changes can take effect. If you do not restart, the instance cannot enforce your configurations and restrictions.

  • To save all of the changes you have made and close the dialog box, click Save.
  • If you do not want to save the changes, click Cancel.

    If you click Cancel, you lose any unsaved changes that you have made since you opened the Roles dialog box.

For more information about restarting the Splunk platform, see Start and stop Splunk Enterprise in the Admin Manual.

SPL search filter syntax

The SPL search filter field in the 4. Restrictions tab accepts any of the following search terms:

  • source::
  • host::
  • index::
  • sourcetype::
  • eventtype= or eventtype::
  • The keywords AND, OR, or NOT
  • Search fields

You can enter SPL manually into the SPL search filter text box, or use the SPL generator to create SPL for the search filter based on fields and field values that you have indexed.

You can use wildcards. Use OR to allow multiple terms, or AND to make the filter more restrictive.

Caveats to using the SPL search filter

The search terms cannot include any of the following:

  • Saved searches
  • Time operators
  • Regular expressions
  • Subsearches
  • Macros
  • The inputlookup command
  • Any fields or modifiers that you can override from the Splunk Web search bar

Usage of search filter syntax

When you specify search term filters, use the key::value syntax, rather than key=value, where possible, to restrict search terms to indexed fields. If you specify the key=value syntax as part of a filter, the search filter dialog box warns you that usage of the = operator can result in poor search performance for users who hold the role. Also, it is not secure to use the operator because filters with the operator can be bypassed by user knowledge objects.

If you attempt to add an indexed field that already exists in the current search filter, the page warns you that the indexed field already exists to ensure that you have no unintended SPL conflicts in the search filter.

For search filters with metrics data, use the key=value to specify search restrictions to metrics fields. This is because the key::value syntax does not work for searches over metrics data. In this case, you can safely disregard syntax warnings about the = operator that the search filter dialog box presents.

Do not use search filters that restrict indexes for metrics indexes. This can result in missing results when you run the mpreview command on those indexes.

System User Roles

The Splunk platform uses system user roles to perform essential monitoring and maintenance activities.

The Splunk platform uses the Admin role and system user roles to perform essential monitoring and maintenance activities. You might observe the Admin and system user roles authenticating into your Splunk Cloud Platform environment as part of the platform performing monitoring and maintenance activities. The platform performs these activities in accordance with a comprehensive security program designed to protect the confidentiality, integrity, and availability of your data.

In addition to these user roles, the Splunk platform also uses ephemeral system user roles to perform essential monitoring and maintenance activities. Ephemeral system user roles begin with the prefix int_, and you can use the following search command to audit those users.

index=_audit user=int* "login attempt"

General abilities of system user roles

The following table provides information about the general abilities of the internal_* system user roles.

internal_ops_admin internal_automation, internal_monitoring, internal_observability
Search internal data x
Search external data
Manage configurations x
Manage authentication
Manage ingestion x
Restart the Splunk platform x
Gather internal metadata x x
Last modified on 22 November, 2024
Create and manage users with Splunk Web   Find existing users and roles

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters