Splunk® Success Framework

Splunk Success Framework Handbook

Download manual as PDF

Download topic as PDF

User enablement best practices for a Splunk deployment

User enablement is about motivating your users to learn and grow. When you provide an environment of incentive-driven access, you encourage users to explore and implement best practices, which adds value to the whole user community.


  • Search expert
  • Program manager
  • Project manager
  • User community

For more about these roles, see Roles best practices.

Guidelines for enabling users

To maximize user enablement, focus on these main principles:

  • Incentive-driven user access
  • User experience
  • User roles and capabilities
Don't be a "data butler"
Users often want to skip the required education. If you are providing users with access and the information they need, this leaves them with little incentive to expand their own knowledge. Make sure users are motivated to learn best practices. This means limiting their access until they've completed certification and education.
Encourage customer-facing groups to explore value-add activities
Empowering users become capable of manipulating the data themselves leads to richer, dynamic insights that enables users to answer their own questions and make data-driven decisions.
Require an education path prior to granting access
Users can own and drive their own basic searching when they have established education paths and certification requirements. For recommended education requirements, see Roles best practices.
Grant capabilities to advanced users only
Grant capabilities only to users who qualify with your certification or education requirements. This means limited or no access until users have completed certification. Limiting access ensures that users are empowered to learn and implement their own best practices.

Guidelines for managing user experience

Give each team their own app
Create an app for each team and set this as the default in the navigation. Use the app as the team's dedicated workspace.
Create a welcome page for each team
Set up a welcome page for each team to improve the user onboarding experience and facilitate easy access to the resources they need. To create welcome pages, download the Welcome Page Creator from Splunkbase. For more information, see Welcome page best practices.
Hide all other apps
Remove read permissions for apps the user does not need, and to apps the user is not certified to use. As a general best practice, ensure that users are not distracted by other items deployed to the Splunk environment.

Guidelines for managing user roles and capabilities

Split roles and capabilities
Create roles based on data access and roles based on capabilities. This enables you to customize user access many ways without needing to create new roles. For more information about separating roles and access to capabilities, see Role-based data management best practices.
Limit permissions
Consider limiting permissions for features such as acceleration, scheduled searches, and real-time searches. If necessary, use search limits. Limiting permissions will optimize your search capacity. When granting capabilities, consider whether the feature you are granting access to could impact Splunk performance in a recurring way, such as scheduled searches, report acceleration, or searches that exceed the Splunk timeout limit.
Data onboarding best practices for a Splunk deployment
Lab environment best practices for a Splunk deployment

This documentation applies to the following versions of Splunk® Success Framework: ssf

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters