Splunk Cloud

Splunk Cloud Admin Manual

Download manual as PDF

This documentation does not apply to the most recent version of SplunkCloud. Click here for the latest version.
Download topic as PDF

Manage Splunk Cloud users and roles

Splunk Cloud administrators can create users and assign roles to them. Roles are named collections of capabilities that determine the access and permissions of any user assigned that role. Splunk Cloud comes with predefined user accounts and roles. You can also create custom user accounts and roles.

User accounts that have multiple roles inherit properties from the role with the broadest permissions, as follows.

  • Search filters: Users that are assigned multiple roles inherit the capabilities from all assigned roles. For example, if you define two roles with different search filters, and a user account is assigned both roles, then the search filters and restrictions of both roles apply to the user. If a user that has no search restrictions is assigned a role that has search restrictions, the user inherits the search restrictions.
  • Allowed indexes: Users who have multiple roles with multiple indexes assigned get the highest level of index access assigned for any of the roles. For example, if a user is assigned both the "user" role, which limits index access to a single index, and the power role, which allows access to all indexes, the user has access to all indexes. If you want the same user account to inherit capabilities from a different "advanced user" role, but nothing more, create a new role specifically for that user.
  • Capabilities: Users who have multiple roles with multiple capabilities inherit the combined capabilities of all roles. For example if an administrator creates a user account and assigns the "administrator" role with 15 capabilities, and also assigns the "advanced user" role, with a different set of 15 capabilities, the user account has the combined 30 capabilities of both roles.

Manage Splunk Cloud users

You administer users from the Users page in Splunk Web.

Do not delete or edit the Splunk Cloud system user roles: admin, app-installer, index-manager, internal_ops_admin, and internal_monitoring. Splunk uses these system user roles to perform essential monitoring and maintenance activities. See the section System User Roles in this topic for more information.

Create a Splunk Cloud user account

To create an account for a Splunk Cloud user, perform the following steps:

  1. Go to Settings > Users.
  2. Click New User.
  3. Enter a name for the user account in the Name field.
  4. Enter the first and last name of the user in the Full name field.
  5. Enter an email address at which you can contact the user in the Email address field.
  6. Enter a password for the user. The password must contain at least eight characters.
  7. Confirm the password in the Confirm password field.
  8. (Optional) Select the time zone for the user. This lets users view events and other information in their local time zone.
  9. (Optional) Set a default app if you want to override the default app that launches after the user logs in. If unset, the user account inherits the default app that belongs to the role.
  10. Assign at least one role to the user or select Create a role for this user to create a new role and assign it to the user. Multiple roles inherit permissions.
  11. If you want the user to change their password when they log in, click Require password change on first login.
  12. Click Save.

The user account appears in the Users page under the Username column. You can contact the user to provide the login credentials needed to access Splunk Cloud. Inform the user to change the temporary password immediately after the first login.

Change a Splunk Cloud user account

Splunk Cloud administrators can update user settings.

  1. Go to Settings > Users.
  2. Click the username for the user that you want to update, or click Edit in the Actions menu for that user..
  3. Update the settings for the user. The settings are the same as when you create a user, with the exception that the password change requirement checkbox is for the next login. For specific information on each setting, see "Create a Splunk Cloud user account" earlier in this topic.
  4. After you have edited the user settings, if you want to save them, click Save. If you don't want to save the changes, click Cancel.

Clone a Splunk Cloud user account

Splunk Cloud administrators can clone a user account. The clone operation creates a new user account with the same settings as the cloned user account, except for the username. The username must be unique for each user account.

  1. Go to Settings > Users.
  2. Click Clone in the Actions column of the user that you want to clone.
  3. Enter a unique username for the user in the Username field.
  4. Optionally, update additional settings. For specific information on each setting, see "Create a Splunk Cloud user account" earlier in this topic.
  5. Click Save.

The new user account appears in the Users page.

Delete a Splunk Cloud user account

Splunk Cloud administrators can delete user accounts.

  1. Go to Settings > Users.
  2. Click Delete in the Action column for the user that you want to delete.
  3. Click OK.

Perform actions on Splunk Cloud users

You can perform several different actions on an existing Splunk Cloud user on the Users page, including but not limited to making edits, cloning, viewing a list of capabilities, and performing a search as the user. These actions are available under the Actions column for each user, and you can access them by clicking the Edit link in that column.

  • To edit a Splunk Cloud user, click Edit. The "Edit User" page appears. See "Change a Splunk Cloud user account" later in this topic for editing instructions.
  • To clone a Splunk Cloud user, click Clone. This action takes you through the "Create a Splunk Cloud user account" process to create an identical user.
  • To view all of the capabilities that a Splunk Cloud user has, click View Capabilities. This loads the "View Capabilities" page which lists all of the capabilities that the user has, based on the roles that the user holds.
  • To run a search as a specific Splunk Cloud user, based on the indexes and search filters in the roles that they hold, click Search As. This loads a Search page where you can run a search within the framework of the indexes and search filters that are available to that user. The search runs with the capabilities of the admin user.
  • To delete a Splunk Cloud user, click Delete. Splunk Cloud confirms whether or not you want to delete the user.

Manage Splunk Cloud roles

Each user account is assigned one or more roles. Roles give users permissions to perform tasks in Splunk Cloud based on the capabilities assigned to the role. To manage roles, you must be a Splunk Cloud administrator. Do not edit the predefined roles that are provided by Splunk Cloud. Instead, create custom roles that inherit from the built-in roles, and then modify the custom roles as required.

Do not delete or edit the Splunk Cloud system user roles: admin, app-installer, index-manager, internal_ops_admin, and internal_monitoring. Splunk uses these system user roles to perform essential monitoring and maintenance activities. See the section System User Roles in this topic for more information.

Use roles to:

  • Restrict the scope of searches.
  • Inherit capabilities and available indexes from other roles.
  • Specify user capabilities.
  • Set the default index or indexes to search when no index is specified.
  • Specify which indexes to search.

For more information about capabilities in user roles, see About defining roles with capabilities and List of capabilities in the Securing Splunk Enterprise manual.

Create roles in managed Splunk Cloud deployments

  1. Go to Settings > Roles.
  2. Click New Role.
  3. Enter a name in the Name field.
  4. Complete the rest of the New role form. See "Complete the New Role form" later in this topic for specific instructions.
  5. Click Save.

Create roles in self-service Splunk Cloud deployments

  1. Log into Splunk Cloud and go to Settings > Roles.
  2. Click New Role.
  3. Enter a unique name in the Name field.
  4. Go to the Splunk Customer Portal and click manage product roles.
  5. Click Add new.
  6. Enter the name of the custom role that you created in Splunk Cloud and click the Save button.

Complete the New Role form

When you add or edit a role in Splunk Cloud, you have several options with which to configure the role. There is no requirement to make any of these changes.

Specify role inheritance

Use the 1. Inheritance tab to add or change the inheritance of existing roles.

  1. Click 1. Inheritance to display the contents of the Inheritance tab.
  2. (Optional) In the Role Name text box, type in characters to display roles whose names contain those characters.
  3. (Optional) Click the All column header to select from a menu of display options for roles: "Show selected", "Show unselected", or "Show all".
  4. (Optional) Click the checkbox next to an existing role from which you want this role to inherit. You can click multiple checkboxes, or select all existing roles by clicking the checkbox in the column header.

Specify role capabilities

Use the 2. Capabilities tab to add or change the capabilities that this role holds.

  1. Click 2. Capabilities to display the contents of the Capabilities tab.
  2. (Optional) In the Capability Name field, type in a string to display capability names that contain the string.
  3. (Optional) Click the All column header to select from a menu of display options for capabilities: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
  4. Click the checkbox next to the capabilities that you want to assign to this role.
  5. Click Save.

    Capabilities that have been inherited from other roles appear as grayed out and selected. You cannot deselect capabilities that come with inherited roles.

Specify searchable indexes for a role

Use the 3. Indexes tab to choose the indexes that the role can search, and which ones it should search by default.

You can specify both event and metric indexes. You can also specify wildcards that match more than one index. If a user with the role runs a metrics search without a specified index, the search includes results from the default metrics indexes that you assign to the role. You must select at least one index with data here if you want to be able to use the SPL Search Filter generator in the 4. Restrictions tab.

Wildcards let you specify all indexes that match the text you enter. For example, if you specify a wildcard of "index_us*," it captures all existing indexes that begin with index_us. Wildcards that you create appear in the Indexes table in alphabetical order, as selected and default indexes.

You can create multiple wildcards, but they only apply to the current role. You cannot transfer wildcards to other roles; instead you must explicitly create the same wildcard by editing the roles and adding the wildcards there. To delete a wildcard from a role, confirm that the wildcard is neither a selected nor a default index, and save the role.

  1. Click 3. Indexes to display the contents of the Indexes tab.
  2. (Optional) In the Wildcards section, enter a string that contains the * character and specifies the group of indexes you want to search, then click Create.

    You can repeat this action to add more wildcards. If a wildcard already exists, Splunk Web advises you.

  3. (Optional) In the Index Name field, type in a string to display index names that begin with that string.
  4. (Optional) Click the All column header to select from a menu of display options for indexes: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
  5. Click the Included checkbox for an index to include search results from that index for this role.
  6. Click the Default checkbox for an index to include search results from that index when a user that holds this role does not specify an index in their search.

    Indexes from inherited roles appear as grayed out and selected. You cannot deselect indexes that come with inherited roles.

Specify search restrictions for a role

Use the 4. Restrictions tab to limit the scope of search results that return when users with the role run searches. The search filter combines with the base search that users with the role run, based on several factors. The search job returns only the results that arise from the combined search.

For more information on valid syntax to use with the search filter, see "SPL search filter syntax" later in this topic.

  1. Click 4. Restrictions to display the contents of the Restrictions tab.
  2. In the SPL Search filter field, type in a valid SPL string that combines with any base search that a user with this role runs.
  3. (Optional) Use the Search filter SPL generator to create a search filter.
    1. In the Indexed fields and values time range drop down list, choose a time range to search for indexed fields and their associated values.

      For these controls to work, you must have selected at least one index with data in the Indexes tab. Changing the default time of 60 seconds can increase the amount of time it takes to populate the Indexed Fields and Values text boxes.

    2. In the "Indexed fields" text box, do one of the following:
      1. Click on the text box to display a drop-down list box that contains the most common indexed fields that were found, based on the indexes you have selected in the 3. Indexes tab and the time that you specified in the "Indexed fields and values time range" setting. The |walklex search command populates this field.
      2. Enter the name of an indexed field.

      If you select an indexed field that is already present in the SPL search filter, Splunk Web displays a message about possible SPL collisions. Review the filter to confirm that there are no unintended conflicts.

    3. In the "Values" text box, do one of the following:
      1. Click on the text box to display a drop-down list box that shows the top 250 indexed field values that were found, in lexical order, based on the fields you selected in the "Indexed fields" text box.
      2. Enter a custom field value directly. You can also use wildcards.
    4. Use the Concatenation option drop-down list box to determine how the SPL generator adds SPL text that it generates to any existing text in the SPL search filter.
      1. Choose "AND" to add the generated SPL prepended with the AND keyword
      2. Choose "OR" to add the generated SPL prepended with the OR keyword.
      3. Choose "NOT" to add the generated SPL prepended with the NOT keyword.

      If the search filter does not have any text in it, the "Concatenation option" drop-down list box is disabled.

    5. Review the SPL that the SPL generator proposes adding to the SPL search filter.
    6. If you are satisfied with the SPL that has been generated, click Add to SPL search filter. The SPL generator updates the SPL search filter text box with the generated text. If there is already text in the filter text box, the SPL generator appends the generated text. Depending on the concatenation option you chose, the SPL generator adds the text after the "AND", "OR", or "NOT" keyword.
    7. (Optional) If you do not like the SPL that you generated with the SPL generator, you can remove the text that you added by clicking Reset.
    8. (Optional) If you want to see how the search filter can affect search results before you apply it, click Preview search filter results. This action opens a new Search page that shows the results of a search with the current search filter.
    9. The search preview results are an example of what a user with this role might see. Several factors can alter the actual results from what the preview shows.

      The preview makes the assumption that the user holds only this role. While it includes results from inherited indexes, it does not include any search filters that might exist in inherited roles.

Specify default app and search-related limits for a role

In the 5. Resources tab, you can control the default app that a user with this role sees when they log into the Splunk platform. You can also control various search job characteristics and limits.

  1. (Optional) In the Default app dropdown, select the default Splunk app that appears when a user that holds this role logs in.
  2. (Optional) In the Role search job limit section, enter the maximum number of standard searches that this role can run at a time in the Standard search job limit text box.

    To remove search limits, you can enter 0 in this and other search limit text boxes.

  3. (Optional) Enter the maximum number of real-time searches that a user with this role can run at a time in the Real-time search job limit text box.
  4. (Optional) In the User search job limit section, enter the maximum number of standard searches that users can run at a time in the Standard search job limit text box.
  5. (Optional) In the Role search time window limit section, select a time window for searches for this role. Click the drop-down list box to choose from one of "Unset" or "Indefinite" which means no limit, or "Custom time", which exposes a text box where you can enter a time limit in seconds.

    Inherited roles with set search time window can override what you specify here.

  6. (Optional) In the Disk space limit section, enter the amount of disk space that search jobs for this role can take up at a given time in the Standard search limit text box.

Save changes to role configurations

You must save changes to role configurations (including search time restrictions) and restart the Splunk platform before those changes can take effect. If you do not restart, the instance cannot enforce your configurations and restrictions.

  • To save all of the changes you have made and close the dialog box, click Save.
  • If you do not want to save the changes, click Cancel.

    If you click Cancel, you lose any unsaved changes that you have made since you opened the Roles dialog box.

Table of Splunk platform capabilities

This list shows the capabilities that you can add to any role, and whether or not the capabilities are assigned by default to the user, power, Admin, or sc_admin roles.

The sc_admin role is the default administration role for Splunk Cloud administrators whereas the Admin role is used by Splunk Cloud operations to perform tasks that support your Splunk Cloud instance.

Capabilities change frequently. For the most up-to-date list of capabilities that are assigned to a role, see the "Imported Capabilities" text box in the "Create a role" page in Splunk Web on your instance.

Capability name What it lets you do User Power Admin Sc_admin
accelerate_datamodel Enable or disable acceleration for data models. Set acceleration to true to enable automatic acceleration of this data model. Additional space is required depending on the number of events, fields, and distinct field values in the data. See the Knowledge Manager Manual for more information. X X
accelerate_search Lets the user enable or disable acceleration for reports. The user must also have the schedule_search capability assigned. Works for searches that use transforming commands. See the Knowledge Manager Manual for more information. X X X X
admin_all_objects Lets the user access and modify any object in the system regardless of any restrictions set in the objects. For example user objects, search jobs, reports, and knowledge objects. Lets the user bypass any ACL restrictions, much the way root access in a *nix environment does. X X
change_authentication Lets the user change authentication settings and reload authentication. See the Securing Splunk Enterprise Manual for more about authentication. X X
change_own_password Lets the user change their own password. X X X X
delete_by_keyword Lets the user use the "delete" operator. The "delete" command marks all of the events returned by the search as deleted. This masks the data from showing up in search results but does not actually delete the raw data on disk. See the Search Manual for more information.
delete_messages Lets a user delete system messages that appear in the UI navigation bar. X X X
dispatch_rest_to_indexers Lets a user dispatch the REST search command to indexers. X
edit_bookmarks_mc Lets a user add bookmark URLs within the Monitoring Console. The URLs redirect administrators to Monitoring Console instances in other Splunk deployments. X
edit_deployment_client Lets the user change deployment client settings. See the Managing Indexers and Clusters of Indexers Manual for more about the deployment client. X
edit_deployment_server Lets the user change deployment server settings. User can change or create remote inputs that are pushed to the forwarders and other deployment clients. See the Managing Indexers and Clusters of Indexers manual for more about the deployment server. X
edit_dist_peer Lets the user add and edit peers for distributed search. See the Managing Indexers and Clusters of Indexers Manual for more information. X
edit_encryption_key_provider Lets the user view and edit key provider properties when they use Server-Side Encryption (SSE) for a remote storage volume. X
edit_forwarders Lets the user change forwarder settings, including settings for SSL, backoff schemes, etc. Also used by TCP and Syslog output admin handlers. X
edit_health Lets a user enable/disable health reporting, set health status alerts, and set indicator thresholds for a feature in the splunkd health status tree through the server/health-config/ endpoint. X
edit_httpauths Lets the user edit and end user sessions through the httpauth-tokens endpoint. X
edit_indexer_cluster Lets the user edit indexer clusters. See the Managing Indexers and Clusters of Indexers Manual for more about indexers. X
edit_indexerdiscovery Lets the user edit settings for indexer discovery, including settings for master_uri, pass4SymmKey, and so on. Used by Indexer Discovery admin handlers. X
edit_input_defaults Lets the user use the server settings endpoint to change default hostnames for input data. X X
edit_local_apps Lets the user edit actions for application management. Applies only when you set the enable_install_apps setting to "true" in authorize.conf. X
edit_metric_schema Lets the user set up log-to-metrics transformations, which can convert single log events into multiple metric data points. X
edit_metrics_rollup Lets the user create and edit metrics rollup policies, which set rules for the aggregation and summarization of metrics on a specific metric index. X
edit_monitor Lets the user add inputs and edit settings for monitoring files. Also used by the standard inputs endpoint and the one-shot input endpoint. X
edit_roles Lets the user edit roles and change user/role mappings. Used by both the user and role endpoint. X
edit_roles_grantable Lets the user edit roles and change user/role mappings for a limited set of roles. Can assign any role to other users. To limit this ability, configure grantableRoles in authorize.conf. For example: grantableRoles = role1;role2;role3 X X
edit_scripted Lets the user create and edit scripted inputs. X
edit_search_concurrency_all Lets a user edit settings related to maximum concurrency of searches. X
edit_search_concurrency_scheduled Lets a user edit settings related to concurrency of scheduled searches.
edit_search_head_clustering Lets the user edit search head clustering settings. X
edit_search_schedule_priority Lets the user assign a search a higher-than-normal schedule priority. For information about the search scheduler, see the Knowledge Manager Manual. X X
edit_search_schedule_window Lets the user assign schedule windows to scheduled reports. Requires the schedule_search capability. For more about the search scheduler, see the Knowledge Manager Manual. X X X X
edit_search_scheduler Lets the user enable and disable the search scheduler. See the Knowledge Manager Manual. X X
edit_search_server Lets the user edit general distributed search settings like timeouts, heartbeats, and blacklists. X
edit_server Lets the user edit general server settings like server name, log levels, etc. X
edit_server_crl Lets the user edit general server settings like server name, log levels, etc. Inherits the ability to read general server and introspection settings. X
edit_sourcetypes Lets the user edit sourcetypes. See the Knowledge Manager manual for more information about sourcetypes. X X X
edit_splunktcp Lets the user change settings for receiving TCP inputs from another Splunk instance. X
edit_splunktcp_ssl Lets the user view or edit any SSL-specific settings for Splunk TCP input. X
edit_splunktcp_token Lets the user edit the Splunktcp token. X
edit_tcp Lets the user change settings for receiving general TCP inputs. X
edit_tcp_token Lets the user change TCP tokens. This is an admin capability and should only be assigned to system administrators. X
edit_telemetry_settings Opt in or out of product instrumentation. See Share data in Splunk Enterprise in the Admin Manual. X
edit_token_http Lets the user create, edit, display, and remove settings for HTTP token input. Also enables the HTTP Event Collector feature. X
edit_tokens_all Lets the user issue tokens to all users. X
edit_tokens_own Lets the user issue tokens to themself. X
edit_tokens_settings Lets the user manage token settings. X
edit_udp Lets the user change settings for UDP inputs. X
edit_user Lets the user create, edit, or remove users. A role with the edit_user capability can assign any role to other users. To limit this ability, configure grantableRoles in authorize.conf. For example: grantableRoles = role1;role2;role3. Also lets a user manage certificates for distributed search. X X
edit_view_html Lets the user create, edit, or modify HTML-based views. X
edit_web_settings Lets the user change settings for web.conf through the system settings endpoint. X
edit_workload_pools Lets the user create and edit workload pools through the workloads/pools endpoint. X
edit_workload_rules Lets the user create and edit workload rules through the workloads/rules endpoint. X
embed_report Lets the user embed reports and disable embedding for embedded reports. X X
export_results_is_visible Lets the user display or hide the Export Results button in Splunk Web. The default value is to display the button. X X X X
get_diag Lets the user get a remote diag from a Splunk instance using the /streams/diag endpoint. X
get_metadata Lets the user use the "metadata" search processor. X X X X
get_typeahead Lets the user use typeahead in the endpoint and the typeahead search field. X X X X
indexes_edit Lets the user change any index settings such as file size and memory limits. X X
input_file Lets the user add a file as an input through inputcsv (except for dispatch=t mode) and inputlookup. X X X X
install_apps Lets the user install, uninstall, create, and make updates to apps. Applies only when you configure the enable_install_apps setting to "true" in authorize.conf. X
license_edit Lets the user edit the license. X
license_tab Lets the user access and change the license. This attribute is deprecated. X
license_view_warnings Lets the user see a warning message when they are exceeding data limits or reaching the expiration date of their license. These warnings appear on the system banner. X
list_accelerate_search Lets the user view accelerated reports. User cannot accelerate reports. X
list_deployment_client Lets the user view deployment client settings. X
list_deployment_server View deployment server settings. X
list_forwarders Lets a user list and view settings for data forwarding. Can be used by TCP and Syslog output admin handlers. X
list_health Lets a user monitor the health of Splunk Enterprise features (such as inputs, outputs, clustering, and so on) through REST endpoints. X
list_httpauths Lets the user view user sessions through the httpauth-tokens endpoint. X X
list_indexer_cluster Lets the user view the list of indexer clusters as well as indexer cluster objects such as buckets, peers, etc. X
list_indexerdiscovery Lets the user view settings for indexer discovery. Also used by indexer discovery handlers. X
list_inputs Lets the user view lists of various inputs, including input from files, TCP, UDP, scripts, etc. X X X X
list_introspection Lets the user read introspection settings and statistics for indexers, search, processors, queues, etc. X X
list_metrics_catalog Lets the user query for lists of metrics catalog information such as metric names, dimensions, and dimension values. X X X
list_search_head_clustering Lets the user list and view search head clustering objects like artifacts, delegated jobs, members, captain, etc. X
list_search_scheduler Lets the user view lists of search scheduler jobs. X X
list_settings Lets the user list and view server and introspection settings such as the server name, log levels, etc. X X
list_storage_passwords Lets the user list and view the /storage/passwords endpoint, lets the user perform GETs. The admin_all_objects capability must be added to the role for the user to perform POSTs to the /storage/passwords endpoint. X X
list_tokens_all Lets the user view all tokens. X
list_tokens_own Lets the user view their own tokens. X X X
list_workload_pools Lets a user list and view workload pool and workload status information from the workloads/rules endpoint. X
list_workload_rules Lets a user list and view workload rule information from the workloads/rules endpoint. X
metric_alerts Lets a user create, update, enable, disable, and delete a streaming metric alert. X X
never_expire Lets a user account never expire. X
never_lockout Lets a user account never lock the user out. X
output_file Lets the user create file outputs, including outputcsv (except for dispatch=t mode) and outputlookup. X X X X
pattern_detect Lets the user see and use the Patterns tab in the Search view. X X X X
request_remote_tok Lets the user obtain a remote authentication token, which lets the user perform some distributed peer management and bundle replication and distribute searches to old 4.0.x Splunk instances. X X X X
rest_apps_management Lets the user edit settings for entries and categories in the python remote apps handler. See restmap.conf for more information. X X
rest_apps_view Lets the user list and view various properties in the Python remote apps handler. See restmap.conf for more information. X X X X
rest_properties_get Lets the user get information from the services/properties endpoint. X X X X
rest_properties_set Lets the user edit the services/properties endpoint. X X X X
restart_splunkd Lets the user restart Splunk Enterprise through the server control handler. X
rtsearch Lets the user run real-time searches. X X X
run_collect Lets the user run the collect command. X X X
run_mcollect Lets the user run the mcollect and meventcollect commands. X X X
run_msearch Lets the user run the msearch command. X
run_multi_phased_searches Lets the user run searches with the redistribute command, which invokes parallel reduce search processing in distributed search environments. This capability is not assigned to any role by default.
schedule_rtsearch Lets the user schedule real-time saved searches. The schedule_search capability must also be assigned to the role. X X X X
schedule_search Lets the user schedule saved searches, create and update alerts, and review triggered alert information. X X X
search Lets the user run a search. See the Search Manual for more information. X X X X
search_process_config_refresh Lets the user use the "refresh search-process-config" CLI command to manually flush idle search processes. X X X
select_workload_pools Lets a user assign a scheduled search or ad-hoc search to a workload pool. X
srchFilter Lets the user manage search filters. See the Search Manual for more information. X
srchIndexesAllowed Lets the user run search indexes. See the Search Manual for more information. X
srchIndexesDefault Lets the user set default search indexes. X
srchJobsQuota Lets the user set search job quotas. X
srchMaxTime Lets the user set the maximum time for a search. X
upload_lookup_files Lets the user upload files that can be used in conjunction with lookup definitions. Only affects lookup types that involve the upload of a file, such as CSV and geospatial lookups. X X X
use_file_operator Lets the user use the "file" search operator. The "file" search operator is deprecated. X
web_debug Lets the user debug Web files. X

System User Roles

Splunk uses system user roles to perform essential monitoring and maintenance activities.

Do not delete or edit the Splunk Cloud system user roles: admin, app-installer, index-manager, internal_ops_admin, and internal_monitoring.

General abilities of system user roles

The following table provides information about the general abilities of the internal_monitoring and internal_ops_admin system user roles.

internal_ops_admin internal_monitoring
Search internal data x
Search external data
Manage configurations x
Manage authentication
Manage ingestion x
Restart splunk x
Gather internal metadata x x
Last modified on 29 July, 2020
PREVIOUS
Forward data from files and directories to Splunk Cloud
  NEXT
Introduction to the Cloud Monitoring Console

This documentation applies to the following versions of Splunk Cloud: 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 8.0.2001


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters