Create and manage roles with Splunk Web
You can assign roles to users that determine the level of access that those users have to the Splunk platform and the tasks that they can perform. The platform comes with a set of default roles, and you can also create your own custom roles that you can tailor to the needs of your organization.
Roles can contain one or more capabilities that provide access to specific parts of the Splunk platform. A user that has a role assigned to them receives all of the capabilities that are associated with the role. Roles can inherit capabilities from other roles.
Manage role inheritance, searched indexes, restrictions, and available search resources
When you add and edit roles, you can modify the following role properties:
- You can manage role inheritance. See "Specify role inheritance" in this topic.
- You can manage the indexes that a role has available to it as well as which indexes the Splunk platform searches by default. See "Specify searchable indexes for a role" in this topic.
- You can apply a search filter to further limit search results. You can either specify the filter manually or use the search filter generator - a wizard that lets you build and populate the filter by using indexed fields and values found in those indexes. See "Specify search restrictions for a role" in this topic.
- You can control resource usage on the platform by limiting disk space usage for search artifacts, the number of searches that the role as a whole can run, and the number of searches that users who hold the role can run individually. See "Specify default app and search limits for a role" in this topic.
While you can have any role inherit from any other role, custom roles that inherit from the
power users roles do not automatically inherit administrator-level access to the instance.
- For more information about roles and how capabilities and permissions are inherited, see About configuring role-based user access.
- For information about granting management access to custom roles, see Add access controls to custom roles.
- For more information about role inheritance, see Role inheritance in the About configuring role-based user access topic.
- For more information about how capabilities work, as well as the full list of capabilities, see About defining roles with capabilities.
Add or edit a role
Create or edit roles for your Splunk platform instance on the Roles page in Settings.
- Click Settings > Roles.
- Click New Role to create a new role, or click an existing role to edit it.
- Enter a name for your role.
Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.
- Make adjustments to role settings by editing configurations in any of the tabs in this dialog box.
- After you have made the configuration changes that you want, click Save to save the role.
The only required element of a role is its name. You do not have to complete any of the following tabs to save a role.
Specify role inheritance
Use the 1. Inheritance tab to add or change the inheritance of existing roles.
- Click 1. Inheritance to display the contents of the Inheritance tab.
- (Optional) In the Role Name text box, type in characters to display roles whose names contain those characters.
- (Optional) Click the All column header to select from a menu of display options for roles: "Show selected", "Show unselected", or "Show all".
- (Optional) Click the checkbox next to an existing role from which you want this role to inherit. You can click multiple checkboxes, or select all existing roles by clicking the checkbox in the column header.
Specify role capabilities
Use the 2. Capabilities tab to add or change the capabilities that this role holds.
- Click 2. Capabilities to display the contents of the Capabilities tab.
- (Optional) In the Capability Name field, type in a string to display capability names that contain the string.
- (Optional) Click the All column header to select from a menu of display options for capabilities: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
- Click the checkbox next to the capabilities that you want to assign to this role.
- Click Save.
Capabilities that have been inherited from other roles appear as grayed out and selected. You cannot deselect capabilities that come with inherited roles.
Specify searchable indexes for a role
Use the 3. Indexes tab to choose the indexes that the role can search, and which ones it should search by default.
You can specify both event and metric indexes. You can also specify wildcards that match more than one index. If a user with the role runs a metrics search without a specified index, the search includes results from the default metrics indexes that you assign to the role. You must select at least one index with data here if you want to be able to use the SPL Search Filter generator in the 4. Restrictions tab.
Wildcards let you specify all indexes that match the text you enter. For example, if you specify a wildcard of "
index_us*," it captures all existing indexes that begin with
index_us. Wildcards that you create appear in the Indexes table in alphabetical order, as selected and default indexes.
You can create multiple wildcards, but they only apply to the current role. You cannot transfer wildcards to other roles; instead you must explicitly create the same wildcard by editing the roles and adding the wildcards there. To delete a wildcard from a role, confirm that the wildcard is neither a selected nor a default index, and save the role.
- Click 3. Indexes to display the contents of the Indexes tab.
- (Optional) In the Wildcards section, enter a string that contains the
*character and specifies the group of indexes you want to search, then click Create.
You can repeat this action to add more wildcards. If a wildcard already exists, Splunk Web advises you.
- (Optional) In the Index Name field, type in a string to display index names that begin with that string.
- (Optional) Click the All column header to select from a menu of display options for indexes: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
- Click the Included checkbox for an index to include search results from that index for this role.
- Click the Default checkbox for an index to include search results from that index when a user that holds this role does not specify an index in their search.
Indexes from inherited roles appear as grayed out and selected. You cannot deselect indexes that come with inherited roles.
Specify search restrictions for a role
Use the 4. Restrictions tab to limit the scope of search results that return when users with the role run searches. The search filter combines with the base search that users with the role run, based on several factors. The search job returns only the results that arise from the combined search.
For more information on valid syntax to use with the search filter, see "SPL search filter syntax" later in this topic.
- Click 4. Restrictions to display the contents of the Restrictions tab.
- In the SPL Search filter field, type in a valid SPL string that combines with any base search that a user with this role runs.
- (Optional) Use the Search filter SPL generator to create a search filter.
- In the Indexed fields and values time range drop down list, choose a time range to search for indexed fields and their associated values.
For these controls to work, you must have selected at least one index with data in the Indexes tab. Changing the default time of 60 seconds can increase the amount of time it takes to populate the Indexed Fields and Values text boxes, but might be necessary to retrieve a comprehensive list of indexed fields.
- In the "Indexed fields" text box, do one of the following:
- Click on the text box to display a drop-down list box that contains the most common indexed fields that were found, based on the indexes you have selected in the 3. Indexes tab and the time that you specified in the "Indexed fields and values time range" setting. The
|walklexsearch command populates this field.
- Enter the name of an indexed field.
- In the "Values" text box, do one of the following:
- Click on the text box to display a drop-down list box that shows the top 250 indexed field values that were found, in lexical order, based on the fields you selected in the "Indexed fields" text box.
- Enter a custom field value directly. You can also use wildcards.
- Use the Concatenation option drop-down list box to determine how the SPL generator adds SPL text that it generates to any existing text in the SPL search filter.
- Choose "AND" to add the generated SPL prepended with the
- Choose "OR" to add the generated SPL prepended with the
- Choose "NOT" to add the generated SPL prepended with the
If the search filter does not have any text in it, the "Concatenation option" drop-down list box is disabled.
- Choose "AND" to add the generated SPL prepended with the
- Review the SPL that the SPL generator proposes adding to the SPL search filter.
- If you are satisfied with the SPL that has been generated, click Add to SPL search filter. The SPL generator updates the SPL search filter text box with the generated text. If there is already text in the filter text box, the SPL generator appends the generated text. Depending on the concatenation option you chose, the SPL generator adds the text after the "AND", "OR", or "NOT" keyword.
- (Optional) If you do not like the SPL that you generated with the SPL generator, you can remove the text that you added by clicking Reset.
- (Optional) If you want to see how the search filter can affect search results before you apply it, click Preview search filter results. This action opens a new Search page that shows the results of a search with the current search filter.
If you select an indexed field that is already present in the SPL search filter, Splunk Web displays a message about possible SPL collisions. Review the filter to confirm that there are no unintended conflicts.
The search preview results are an example of what a user with this role might see. Several factors can alter the actual results from what the preview shows.
The preview makes the assumption that the user holds only this role. While it includes results from inherited indexes, it does not include any search filters that might exist in inherited roles.
If you have configured the Splunk platform instance so that search filters for a role eliminate, rather than select results, actual results might be the opposite of what you see in the preview. The
srchFilterSelecting setting in
authorize.conf controls whether search filters select or eliminate results, and is
true by default. A
false value tells search filters to eliminate results.
In the 5. Resources tab, you can control the default app that a user with this role sees when they log into the Splunk platform. You can also set user- and role-based limits to concurrent searches, role-based limits to search time ranges, and limits to the amount of disk space that a person with a given role can take up with their search jobs at a given time.
You can also control various search job characteristics and limits.
- (Optional) In the Default app dropdown, select the default Splunk app that appears when a user that holds this role logs in.
- (Optional) In the Role search job limit section, enter the maximum number of standard searches that this role can run concurrently in the Standard search job limit text box.
To remove search limits, you can enter 0 in this and other search limit text boxes.
- (Optional) Enter the maximum number of real-time searches that a user with this role can run concurrently in the Real-time search job limit text box.
- (Optional) In the User search job limit section, enter the maximum number of standard searches that a user can run concurrently in the Standard search job limit text box.
- (Optional) In the Role search time window limit section, select a time window for searches for this role. Click the drop-down list box to choose from one of "Unset" or "Indefinite" which means no limit, or "Custom time", which exposes a text box where you can enter a time limit in seconds.
Inherited roles with set search time window can override what you specify here.
- (Optional) In the Disk space limit section, enter the amount of space that search jobs run by a person with this role can take up on disk at a given time in the Standard search limit text box.
Save changes to role configurations
You must save changes to role configurations (including search time restrictions) and restart the Splunk platform before those changes can take effect. If you do not restart, the instance cannot enforce your configurations and restrictions.
- To save all of the changes you have made and close the dialog box, click Save.
- If you do not want to save the changes, click Cancel.
If you click Cancel, you lose any unsaved changes that you have made since you opened the Roles dialog box.
For more information about restarting the Splunk platform, see Start and stop Splunk Enterprise in the Admin Manual.
SPL search filter syntax
The SPL search filter field in the 4. Restrictions tab accepts any of the following search terms:
- The keywords
- Search fields
You can enter SPL manually into the SPL search filter text box, or use the SPL generator to create SPL for the search filter based on fields and field values that you have indexed.
You can use wildcards. Use
OR to allow multiple terms, or
AND to make the filter more restrictive.
Caveats to using the SPL search filter
The search terms cannot include any of the following:
- Saved searches
- Time operators
- Regular expressions
mcatalogsearch commands, when you use them in conjunction with the
- Any fields or modifiers that you can override from the Splunk Web search bar
Usage of search filter syntax with event and metrics data
For event data, when you specify search term filters, use the
key::value syntax, rather than
key=value, where possible, to restrict search terms to indexed fields. If you specify the
key=value syntax as part of a filter, the search filter dialog box warns you that usage of the
= operator can result in poor search performance for users who hold the role. Also, it is not secure to use the operator because filters with the operator can be bypassed by user knowledge objects.
If you attempt to add an indexed field that already exists in the current search filter, the page warns you that the indexed field already exists and to ensure that you have no unintended SPL conflicts in the search filter.
For search filters with metrics data, use the
key=value to specify search restrictions to metrics fields. This is because the
key::value syntax does not work for searches over metrics data. In this case, you can safely disregard syntax warnings about the
= operator that the search filter dialog box presents.
Add and edit users
Add and edit roles with authorize.conf
This documentation applies to the following versions of Splunk® Enterprise: 8.0.0, 8.0.1, 8.0.2