Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

Add and edit roles with Splunk Web

When you create users, you can assign roles that determine the level of access that users have to the Splunk platform and the tasks that they can perform. The platform comes with a set of default roles that you can use. You can also create your own custom roles.

Roles can contain one or more capabilities that provide access to specific parts of the Splunk platform. A user that has a role assigned to them receives all of the capabilities that are associated with the role. Roles can inherit capabilities from other roles, and you can manage that inheritance in Splunk Web.

While you can have any role inherit from any other role, custom roles that inherit from the admin or power users roles do not automatically inherit administrator-level access to the instance.

Add or edit a role

Create or edit roles for your Splunk platform instance on the Roles page in Settings.

  1. Click Settings > Roles.
  2. Click New Role to create a new role, or click an existing role to edit it.
  3. Enter a name for your role.

    Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.

  4. Make adjustments to role settings by editing configurations in any of the tabs in this dialog box.
  5. After you have made the configuration changes that you want, click Save to save the role.

The only required element of a role is its name. You do not have to complete any of the following tabs to save a role.

Specify role inheritance

Use the 1. Inheritance tab to add or change the inheritance of existing roles.

  1. Click 1. Inheritance to display the contents of the Inheritance tab.
  2. (Optional) In the Role Name text box, type in characters to display roles whose names contain those characters.
  3. (Optional) Click the All column header to select from a menu of display options for roles: "Show selected", "Show unselected", or "Show all".
  4. (Optional) Click the checkbox next to an existing role from which you want this role to inherit. You can click multiple checkboxes, or select all existing roles by clicking the checkbox in the column header.

Specify role capabilities

Use the 2. Capabilities tab to add or change the capabilities that this role holds.

  1. Click 2. Capabilities to display the contents of the Capabilities tab.
  2. (Optional) In the Capability Name field, type in a string to display capability names that contain the string.
  3. (Optional) Click the All column header to select from a menu of display options for capabilities: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
  4. Click the checkbox next to the capabilities that you want to assign to this role.
  5. Click Save.

    Capabilities that have been inherited from other roles appear as grayed out and selected. You cannot deselect capabilities that come with inherited roles.

Specify searchable indexes for a role

Use the 3. Indexes tab to choose the indexes that the role can search, and which ones it should search by default. You can specify both event and metric indexes. If a user with the role runs a metrics search without a specified index, the search includes results from the default metrics indexes that you assign to the role. You must select at least one index with data if you want to be able to use the SPL Search Filter generator in the 4. Restrictions tab.

  1. Click 3. Indexes to display the contents of the Indexes tab.
  2. (Optional) In the Index Name field, type in a string to display index names that begin with that string.
  3. (Optional) Click the All column header to select from a menu of display options for indexes: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
  4. Click the Included checkbox for an index to include search results from that index for this role.
  5. Click the Default checkbox for an index to include search results from that index when a user that holds this role does not specify an index in their search.

    Indexes from inherited roles appear as grayed out and selected. You cannot deselect indexes that come with inherited roles.

Specify search restrictions for a role

Use the 4. Restrictions tab to limit the scope of search results that return when users with the role run searches. The search filter combines with the base search that users with the role run, based on several factors. The search job returns only the results that arise from the combined search.

For more information on valid syntax to use with the search filter, see "SPL search filter syntax" later in this topic.

  1. Click 4. Restrictions to display the contents of the Restrictions tab.
  2. In the SPL Search filter field, type in a valid SPL string that combines with any base search that a user with this role runs.
  3. (Optional) Use the Search filter SPL generator to create a search filter.
    1. In the Indexed fields and values time range drop down list, choose a time range to search for indexed fields and their associated values.

      For these controls to work, you must have selected at least one index with data in the Indexes tab. Changing the default time of 60 seconds can increase the amount of time it takes to populate the Indexed Fields and Values text boxes.

    2. In the "Indexed fields" text box, do one of the following:
      1. Click on the text box to display a drop-down list box that contains the most common indexed fields that were found, based on the indexes you have selected in the 3. Indexes tab and the time that you specified in the "Indexed fields and values time range" setting. The |walklex search command populates this field.
      2. Enter the name of an indexed field.

      If you select an indexed field that is already present in the SPL search filter, Splunk Web displays a message about possible SPL collisions. Review the filter to confirm that there are no unintended conflicts.

    3. In the "Values" text box, do one of the following:
      1. Click on the text box to display a drop-down list box that shows the top 250 indexed field values that were found, in lexical order, based on the fields you selected in the "Indexed fields" text box.
      2. Enter a custom field value directly. You can also use wildcards.
    4. Use the Concatenation option drop-down list box to determine how the SPL generator adds SPL text that it generates to any existing text in the SPL search filter.
      1. Choose "AND" to add the generated SPL prepended with the AND keyword
      2. Choose "OR" to add the generated SPL prepended with the OR keyword.
      3. Choose "NOT" to add the generated SPL prepended with the NOT keyword.

      If the search filter does not have any text in it, the "Concatenation option" drop-down list box is disabled.

    5. Review the SPL that the SPL generator proposes adding to the SPL search filter.
    6. If you are satisfied with the SPL that has been generated, click Add to SPL search filter. The SPL generator updates the SPL search filter text box with the generated text. If there is already text in the filter text box, the SPL generator appends the generated text. Depending on the concatenation option you chose, the SPL generator adds the text after the "AND", "OR", or "NOT" keyword.
    7. (Optional) If you do not like the SPL that you generated with the SPL generator, you can remove the text that you added by clicking Reset.
    8. (Optional) If you want to see how the search filter can affect search results before you apply it, click Preview search filter results. This action opens a new Search page that shows the results of a search with the current search filter.
    9. The search preview results are an example of what a user with this role might see. Several factors can alter the actual results from what the preview shows.

      The preview makes the assumption that the user holds only this role. While it includes results from inherited indexes, it does not include any search filters that might exist in inherited roles.

      If you have configured the Splunk platform instance so that search filters for a role eliminate, rather than select results, actual results might be the opposite of what you see in the preview. The srchFilterSelecting setting in authorize.conf controls whether search filters select or eliminate results, and is true by default. A false value tells search filters to eliminate results.

Specify default app and search-related limits for a role

In the 5. Resources tab, you can control the default app that a user with this role sees when they log into the Splunk platform. You can also control various search job characteristics and limits.

  1. (Optional) In the Default app dropdown, select the default Splunk app that appears when a user that holds this role logs in.
  2. (Optional) In the Role search job limit section, enter the maximum number of standard searches that this role can run at a time in the Standard search job limit text box.

    To remove search limits, you can enter 0 in this and other search limit text boxes.

  3. (Optional) Enter the maximum number of real-time searches that a user with this role can run at a time in the Real-time search job limit text box.
  4. (Optional) In the User search job limit section, enter the maximum number of standard searches that users can run at a time in the Standard search job limit text box.
  5. (Optional) In the Role search time window limit section, select a time window for searches for this role. Click the drop-down list box to choose from one of "Unset" or "Indefinite" which means no limit, or "Custom time", which exposes a text box where you can enter a time limit in seconds.

    Inherited roles with set search time window can override what you specify here.

  6. (Optional) In the Disk space limit section, enter the amount of disk space that search jobs for this role can take up at a given time in the Standard search limit text box.

Save changes to role configurations

You must save changes to role configurations (including search time restrictions) and restart the Splunk platform before those changes can take effect. If you do not restart, the instance cannot enforce your configurations and restrictions.

  • To save all of the changes you have made and close the dialog box, click Save.
  • If you do not want to save the changes, click Cancel.

    If you click Cancel, you lose any unsaved changes that you have made since you opened the Roles dialog box.

For more information about restarting the Splunk platform, see Start and stop Splunk Enterprise in the Admin Manual.

SPL search filter syntax

The SPL search filter field in the 4. Restrictions tab accepts any of the following search terms:

  • source::
  • host::
  • index::
  • sourcetype::
  • eventtype= or eventtype::
  • The keywords AND, OR, or NOT
  • Search fields

You can enter SPL manually into the SPL search filter text box, or use the SPL generator to create SPL for the search filter based on fields and field values that you have indexed.

You can use wildcards. Use OR to allow multiple terms, or AND to make the filter more restrictive.

Caveats to using the SPL search filter

The search terms cannot include any of the following:

  • Saved searches
  • Time operators
  • Regular expressions
  • The mstats, msearch, and mcatalog search commands, when you use them in conjunction with the key::value syntax
  • Any fields or modifiers that you can override from the Splunk Web search bar

Usage of search filter syntax with event and metrics data

For event data, when you specify search term filters, use the key::value syntax, rather than key=value, where possible, to restrict search terms to indexed fields. If you specify the key=value syntax as part of a filter, the search filter dialog box warns you that usage of the = operator can result in poor search performance for users who hold the role. Also, it is not secure to use the operator because filters with the operator can be bypassed by user knowledge objects.

If you attempt to add an indexed field that already exists in the current search filter, the page warns you that the indexed field already exists and to ensure that you have no unintended SPL conflicts in the search filter.

For search filters with metrics data, use the key=value to specify search restrictions to metrics fields. This is because the key::value syntax does not work for searches over metrics data. In this case, you can safely disregard syntax warnings about the = operator that the search filter dialog box presents.

PREVIOUS
Add and edit users
  NEXT
Add and edit roles with authorize.conf

This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters