Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Add and edit roles with Splunk Web

When you create users, you assign them to roles that determine the level of access to Splunk Enterprise and the tasks that they can perform. Splunk Enterprise comes with a set of default roles that you can use. You can also create your own.

For information about roles and how capabilities and permissions are inherited, see About role-based user access.

Note: Custom roles that inherit from Admin or Power users do not automatically inherit management access. For information about granting management access to custom roles, see Add access controls to custom roles.

Add or edit a role

To create or edit roles in Splunk Web:

1. Click Settings > Access Controls.

2. Click Access controls page click Roles.

3. Click New or select and edit an existing role. Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes.

4. In the Inheritance section, select roles that you want your new role from which you want to inherit capabilities and properties. A user assigned to multiple roles inherits properties from the role with the broadest permissions. See Role inheritance in the About role-based user access topic for more information.

5. In the Capabilities section, choose any individual capabilities you want to provide to this role. See About defining roles with capabilities for more information.

6. In Indexes searched by default specify the indexes that this role will automatically search if no index is specified in the search.

7. In Indexes select indexes the user is allowed to search. If you add at least one index, a user with this role will only be able to conduct searches on the index or indexes selected. If you do not specify any indexes at all, the user assigned to the role is able to search all indexes.

8. Click Save.

Search filter format

The Search filter field can include any of the following search terms:

  • source=
  • host=
  • index=
  • eventtype=
  • sourcetype=
  • search fields

You can use wildcards. Use OR to allow multiple terms, or AND to make the filter more restrictive.

The search terms cannot include:

  • saved searches
  • time operators
  • regular expressions
  • any fields or modifiers that Splunk Web can overwrite
About defining roles with capabilities
Add and edit roles with authorize.conf

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0



You should be able to fix this by directly editing the admin permissions in the configuration file. From the command line copy authorize.conf from /etc/system/default and put in /etc/system/local and edit the admin user role to return the permissions.

Jworthington splunk, Splunker
March 21, 2018

Hi, I believe I accidentally edited the default admin user to a power user and now I can no longer create new roles/users and there is no longer an Access Control menu option. First I tried logging in with the default admin credentials, but it did not let me. Then I tried uninstalling Splunk, so that I could reinstall and start all over again, but my machine won't let me uninstall.

March 21, 2018

Hi Sharding8,

That's an interesting result, thanks for letting us know. I'll consult with the team and test this out and let you know what is going on there as soon as possible.


Jworthington splunk, Splunker
June 21, 2017

Hi Srishtiarora,

To restrict, you simply do not list the desired logs or events. A NOT command isn't necessary.

Hope that helps!

Jworthington splunk, Splunker
June 21, 2017

In my testing, the statement "If you do not specify any indexes at all, the user assigned to the role is able to search all indexes." is not correct. If you specify no indexes, the user can't search anything in all the tests I've done.

June 21, 2017

How can we restrict the search in search filter with NOT.
Eg. I am expecting events with
abc .... def
and now I want to restrict the user to see logs or events with abc NOT xyz.
Is it possible? or I need to mention all the search items available for users.

May 8, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters