Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Create and manage users with Splunk Web

You can manage who has user access to your Splunk platform instance with the Users control panel. This page lets you create, delete, and manage various aspects about users, including their name, email address, password, default time zone, and role assignments. comes with several predefined users, and you can create new users or modify the existing users with this page.

You access the Users control panel from anywhere in Splunk Web by selecting Settings > Users in the system bar.

For more information about the user authentication methods that Splunk Cloud Platform supports, see the Users and authentication section in the Splunk Cloud Platform Service Description.

The "Users" control panel

The "Users" control panel is where you perform all aspects of user management. It displays a list of all users that are on the Splunk platform instance. By default, the page lists the users ascending by name. The page displays the following information in columns, from left to right:

  • Name: The user name. You can select the name to edit that user.
  • Actions: This column is a drop-down menu of actions that you can perform on the user. See "Perform actions on users" in this topic.
  • Authentication system: The authentication scheme that the user uses to log into the Splunk platform instance.
  • Full name: The full name of the user, as entered in the "Full Name" field on the individual user page.
  • Email address: The email address of the user, as entered in the "Email Address" field on the individual user page.
  • Time zone: The time zone that has been specified for the user. If the user uses the default system time zone, nothing appears here.
  • Default app: The default Splunk application context that a user is in when they log in.
  • Default app inherited from: The entity from which the user inherits the application context.
  • Roles: The roles that the user holds.
  • Last login: The last time the user successfully logged onto the instance. If nothing appears here, the user has never logged in.
  • Status: The current status of the user, as provided by the authentication scheme.

Sort the user list

You can select any of the column headers to sort the user list by that column header, with the exception of "Actions". Selecting a column header multiple times toggles whether the user list sorts in ascending or descending order.

Perform actions on users

You can perform several different actions on an existing user, including but not limited to making edits, cloning, viewing a list of capabilities that a user has, viewing the index inheritances that a user has, and performing a search in a user context. These actions are available under the Actions column for each user, and you can access them by selecting the Edit link in that column.

  • To create a user, select New User. See "Create a user" later in this topic for further instructions.
  • To edit a user, select Edit. The "Edit User" page appears. See "Edit a user" later in this topic for further instructions.
  • To clone a user, select Clone. This action takes you through the "Create a user" process to create an identical user. The username must be unique for the user you clone.
  • To view all of the capabilities that a user has, select View Capabilities. This loads the "View Capabilities" page which lists all of the capabilities that the user has, based on the roles that the user holds.
  • To run a search as a specific user, based on the indexes and search filters in the roles that they hold, select Search As. This loads a Search page where you can run a search within the framework of the indexes and search filters that are available to that user. The search runs with the capabilities of the admin user. See "Run a search as a user" later in this topic for further instruction.
  • To view the indexes that a user has access to through role inheritance, select View Indexes. This loads the "View Index Inheritance" page which shows what indexes a user has access to based on the roles that they hold. See "View Index Inheritance for a user" later in this topic.
  • To delete a user, select Delete. confirms whether or not you want to delete the user.

Create a user

You can create a user at any time and assign several aspects to that user. When you clone a user, you use this procedure. The user that you clone must have a different username than any existing user.

  1. From the system bar, select Settings > Users.
  2. Select New User.
  3. In the Name field, provide a user name. This is the what the user provides at the login page.
  4. In the Full Name field, provide the first and last name of the user.
  5. In the Email Address field, provide the user email address.
  6. In the Set password field, create a password.
  7. Confirm the new password in the Confirm Password field.
  8. Confirm that the password you created meets the password requirements as displayed near the "Confirm password" field.
  9. (Optional) Select the user's time zone in the Time Zone field.
  10. In the Default App field, select the app that the user will land in by default when they log into the Splunk platform instance. The default is "Home". "Search" is a common default app as well.
  11. In Assign to Roles, you can select any roles that you want for your user to hold.
  12. Select Create a role for user if you want to user's new assignments to be created as a role assigned specifically to this user.
  13. Check Require password change on first login to force your user to change their password when they first log into the Splunk platform instance.
  14. Select Save. The Splunk platform creates the user and returns you to the "Users" page.

Edit a user

All of the steps in this procedure are optional. If you do not make any changes, the Splunk platform does not change the user, even if you select "Save".

  1. From the system bar, select Settings > Users.
  2. Either select the user name link in the Name column, or select the Edit link in the Actions column for the user you want to edit.
  3. In the Name field, provide a user name. This is what the user provides at the login page.
  4. In the Full Name field, provide the first and last name of the user.
  5. In the Email Address field, provide the user email address.
  6. In the Set password field, create a password.
  7. Confirm the new password in the Confirm Password field.
  8. Confirm that the password you created meets the password requirements as displayed below the "Confirm password" field.
  9. Select the user's time zone in the Time Zone field.
  10. In the Default App field, select the app that the user will land in by default. The default is "Home". "Search" is a common default app as well.
  11. In Assign to Roles, you can select any roles that you want for your user to hold.
  12. Select Create a role for user if you want to user's new assignments to be created as a role assigned specifically to this user.
  13. Check Require password change on next login to force your user to immediately change their password.
  14. Select Save. The Splunk platform creates the user and returns you to the "Users" page.

Run a search as a user

When you run a search as a user, you see results based on the roles that the user holds and the indexes that the user has access to. Additionally, the search includes any search filters that you have configured for the roles that the user holds.

  1. From the system bar, select Settings > Users.
  2. Select the Edit link in the Actions column for the user under which you want to run a search.
  3. Select Search as... A New Search window opens.
  4. In the Search bar, type in a valid Splunk search. The Splunk platform returns results based on the context of the user and the roles that the user holds, as well as any search filters that have been configured for those roles.

View index inheritances for a user

You can see how a user gets access to an index based on the roles that the user holds. The indexes that a user has access to determines the results that searches return.

You can only view inheritances of indexes on this page. To change which indexes a role has access to, visit the Roles page and either add or edit a role. See Create and manage roles with Splunk Web.

  1. From the system bar, select Settings > Users.
  2. Select the Edit link in the Actions column for the user under which you want to view index inheritance information.
  3. Select View Indexes... The View Index Inheritance page opens.
  4. In the Index field, either type in the name of an index, or select the field to show a list of indexes.
  5. Select the index whose inheritance you want to view by selecting it in the drop-down list box. The table on the page updates based on the inheritances for the index you specified, as follows:
    • The "Roles" column displays the roles that have access to the index you selected.
    • If the user you chose holds the role, Splunk Web displays a star next to it.
    • If the role has the index directly, or natively, assigned to it, a triangle appears in the Included column for that role.
    • If the index has directly been made the default index for the role, a triangle appears in the Default column for that role.
    • If the role inherits the index from another role, then a circle appears in the Included column for that role, and the inherited role appears in the Inherits from column for the role.
    • If the index is the default index for the role through an inheritance, a circle appears in the Default column for that role.

Splunk Web follows inheritances to their logical end. This means it always displays the roles that inherit from another role until it finds the roles which have the selected indexes defined natively. Given the following scenario:

  • User Fred holds role Role1
  • Role Role1 inherits from role Role2
  • Role Role2 has indexes Index1 and Index2 assigned to it

If you selected Index1, the View Inheritances page would display the following:

  • The page lists both roles Role1 and Role2.
  • Role role1 has a star by it because user Fred holds that role.
  • Role role2 lists triangles under the Included and Default columns because role Role2 has those indexes assigned to it natively.
  • Role role1 lists circles under the Included and Default columns because role Role1 inherits from role Role2

If a user does not hold at least one role that has been assigned to the index you select, nothing appears in the View Index Inheritance table.

Delete a user

Deleting a user permanently removes their account and its associated information from the instance, and cannot be undone. You cannot remove the admin user.

Do not delete or edit the Splunk Cloud Platform system users: admin, app-installer, cmon_user, index-manager, internal_automation, internal_ops_admin, internal_monitoring, and internal_observability. Splunk Cloud Platform uses these system user roles to perform essential monitoring and maintenance activities. See the section System User Roles in Configure and manage roles with Splunk Web for more information.

  1. From the system bar, select Settings > Users.
  2. Select the Edit link in the Actions column for the user you want to edit.
  3. Select Delete.
  4. In the confirmation dialog box, select Delete.
Last modified on 14 February, 2024
Define roles on the Splunk platform with capabilities   Create and manage roles with Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters