Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Create the authentication script

To integrate your authentication system with your Splunk deployment, make sure the authentication system is running and then do the following:

1. Create a Python authentication script. See "Create a Python script" in this topic for the procedure.

2. Test the new script. See "Test the script" in this topic for the procedure.

3. Enable your script by editing authentication.conf to specify scripted authentication and associated settings. See "Edit authentication.conf" for the procedure.

Splunk Cloud Platform doesn't support scripted authentication.

Create a Python script

You must create a Python script that implements these authentication functions:

  • userLogin
  • getUserInfo
  • getUsers

The Splunk server will call these functions as necessary, either to authenticate user login or to obtain information on a user's roles.

The script can optionally also include a handler for this function:

  • getSearchFilter

This table summarizes the authentication functions, their arguments, and their return values:

Function Description Argument string Return value string
userLogin Login with user credentials. --username=<username>


(values passed one per line over stdin)


(safely passed over stdout)

getUserInfo Return a user's information, including name and role(s). --username=<username>

Note the following:

  • userInfo must specify a semicolon-delimited list.
  • <userId> is deprecated; you should return just the associated semicolon.
  • <username> is required.
  • <realname> is optional, but its semicolon is required.
  • <roles> is required. To return multiple roles, use colons to separate the roles.
    For example: admin:power
  • This example returns just the roles for a user named "docsplunk":
        --status=success --userInfo=;docsplunk;;admin:power
getUsers Return information for all Splunk users. none
--userInfo=<userId>;<username>;<realname>;<roles> ... 

Note the following:

  • See getUserInfo for information on the syntax to use to return each user's information.
  • Separate each user's information with a space.
  • <roles> is required. To return multiple roles, use colons to separate the roles.
    For example: admin:power
getSearchFilter Optional. Returns the filters applied specifically to this user, along with those applied to the user's roles. The filters are OR'd together. --username=<username>
--status=success|fail --search_filter=<filter> 
--search_filter=<filter> ... 

Note: User-based search filters are optional and not recommended. A better approach is to assign search filters to roles and then assign users to the appropriate roles.

For more information, see "Use the getSearchFilter function to filter at search time"

See the example scripts for detailed information on how to implement these functions.

Test the script

Since the communication between your Splunk deployment and the script occurs via stdin and stdout, you can test the script interactively in your command shell. Be sure to send one argument per line and end each function call with an EOF (Ctrl-D).

Test each function individually, using this pattern:

> python [script] [function name]
[pass arguments here, one per line]
[send eof, with Ctrl-D]
[output appears here, check that it's correct]

The following example shows a debugging session that does some simple testing of a fictional script called "example.py", with two users "alice" and "bob". "alice" is a member of the "admin" and "super" roles, and "bob" is a member of the "user" role.

> python example.py userLogin
<send an EOF>
> python example.py userLogin
<send an EOF>
> python example.py getUsers
<no arguments for this function, send an EOF> 
--status=success --userInfo=bob;bob;bob;user --userInfo=alice;alice;alice;admin:super
> python example.py getUserInfo
<send an EOF>
--status=success --userInfo=bob;bob;bob;user
> python example.py getUserInfo
<send an EOF>

Important: This is just an example of how to go about testing a script. It does not attempt to perform exhaustive debugging of any real script.

Last modified on 16 March, 2022
Set up user authentication with external systems   Connect your authentication system with Splunk Enterprise using the authentication.conf configuration file

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters