Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Add and edit roles with Splunk Web

When you create users, you can assign roles that determine the level of access that users have to Splunk Enterprise, and the tasks that they can perform. Splunk Enterprise comes with a set of default roles that you can use. You can also create your own.

For information about roles and how capabilities and permissions are inherited, see About role-based user access.

Custom roles that inherit from Admin or Power users do not automatically inherit management access. For information about granting management access to custom roles, see Add access controls to custom roles.

Add or edit a role

Create or edit roles for your Splunk platform implementation on the Roles page in Settings.

  1. Click Settings > Access Controls.
  2. Click Access controls page click Roles.
  3. Click New or select and edit an existing role. Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes.
  4. In the Restrict search terms section, you can restrict the scope of the searches that users with the role can run. You can restrict the search terms they can use, set limits on search time, and set both user-level and role-level concurrent search limits.

    Search term restrictions offer limited security. A user can override some search term restrictions if they create a calculated field that references a field name listed here as a restricted term.

  5. In the Inheritance section, identify other roles that your role can inherit properties and capabilities from. A user assigned to multiple roles inherits properties from the role with the broadest permissions. See Role inheritance in the About role-based user access topic for more information.
  6. In the Capabilities section, choose any individual capabilities you want to provide to this role. See About defining roles with capabilities for more information.
  7. In Indexes searched by default, specify the indexes that this role will automatically search if no index is specified in the search. You can specify both event and metric indexes. If a user with the role runs an event search without a specified index, the search pulls events from the default event indexes assigned to the role. If a user with the role runs a metrics search without a specified index, the search pulls events from the default metrics indexes assigned to the role.
  8. In Indexes, select event and metric indexes the user is allowed to search. If you add at least one index, a user with this role will only be able to conduct searches on the index or indexes selected. If you do not specify any indexes at all, the user assigned to the role is able to search all indexes.
  9. Click Save.

Updates to the search term restrictions for a role do not take effect until you restart your Splunk platform implementation. If you do not restart Splunk, your Splunk platform will not enforce your search term restriction updates.

For more information about restarting Splunk, see Start and Stop Splunk Enterprise in the Admin Manual.

Search filter format

The "Restrict search terms" field can include any of the following search terms:

  • source::
  • host::
  • index::
  • sourcetype::
  • eventtype=
  • search fields

When you specify search term restrictions, use the key::value syntax, when possible, to restrict search terms to indexed fields. Normal field values can be overwritten with user knowledge objects. The key::value syntax only applies to indexed fields.

You can use wildcards. Use OR to allow multiple terms, or AND to make the filter more restrictive.

The search terms cannot include:

  • saved searches
  • time operators
  • regular expressions
  • any fields or modifiers that you can override from the Splunk Web search bar
Add and edit users
Add and edit roles with authorize.conf

This documentation applies to the following versions of Splunk® Enterprise: 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8


Hi Dijikul,

Yes, this topic discusses the "Restrict search terms" field in the "Add role" or "Edit role" screen. Thank you for the heads-up; I'm updating the page to reflect what you see in Splunk Web. Sincere apologies for the confusion.

Malmoore, Splunker
February 1, 2019

Is this documentation talking about Restricted Search Terms in a Role permission screen?
Is "Search Filter" an older term specific to older versions of Splunk?
Trying to understand how this applies to Splunk is difficult when the documentation uses different terminology than what's in the interface.

November 13, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters