Splunk Cloud

Splunk Cloud User Manual

Download manual as PDF

Download topic as PDF

Manage Splunk Cloud users and roles

Splunk Cloud administrators can create users and assign roles to them. Roles are named collections of capabilities that determine the access and permissions of any user assigned that role. Splunk Cloud comes with predefined user accounts and roles. You can also create custom user accounts and roles.

User accounts that have multiple roles inherit properties from the role with the broadest permissions, as follows.

  • Search filters: Users that are assigned multiple roles inherit the capabilities from all assigned roles. For example, if you define two roles with different search filters, and a user account is assigned both roles, then the search filters and restrictions of both roles apply to the user. If a user that has no search restrictions is assigned a role that has search restrictions, the user inherits the search restrictions.
  • Allowed indexes: Users who have multiple roles with multiple indexes assigned get the highest level of index access assigned for any of the roles. For example, if a user is assigned both the "user" role, which limits index access to a single index, and the power role, which allows access to all indexes, the user has access to all indexes. If you want the same user account to inherit capabilities from a different "advanced user" role, but nothing more, create a new role specifically for that user.
  • Capabilities: Users who have multiple roles with multiple capabilities inherit the combined capabilities of all roles. For example if an administrator creates a user account and assigns the "administrator" role with 15 capabilities, and also assigns the "advanced user" role, with a different set of 15 capabilities, the user account has the combined 30 capabilities of both roles.

Manage Splunk Cloud users

You administer users from the Users page in Splunk Web.

Do not delete or edit the Splunk Cloud system user roles: admin, app-installer, index-manager, internal_ops_admin, and internal_monitoring. Splunk uses these system user roles to perform essential monitoring and maintenance activities. See the section System User Roles in this topic for more information.

Create a Splunk Cloud user account

To create an account for a Splunk Cloud user, perform the following steps:

  1. Go to Settings > Users.
  2. Click New User.
  3. Enter a name for the user account in the Name field.
  4. Enter the first and last name of the user in the Full name field.
  5. Enter an email address at which you can contact the user in the Email address field.
  6. Enter a password for the user. The password must contain at least eight characters.
  7. Confirm the password in the Confirm password field.
  8. (Optional) Select the time zone for the user. This lets users view events and other information in their local time zone.
  9. (Optional) Set a default app if you want to override the default app that launches after the user logs in. If unset, the user account inherits the default app that belongs to the role.
  10. Assign at least one role to the user or select Create a role for this user to create a new role and assign it to the user. Multiple roles inherit permissions.
  11. If you want the user to change their password when they log in, click Require password change on first login.
  12. Click Save.

The user account appears in the Users page under the Username column. You can contact the user to provide the login credentials needed to access Splunk Cloud. Inform the user to change the temporary password immediately after the first login.

Change a Splunk Cloud user account

Splunk Cloud administrators can update user settings.

  1. Go to Settings > Users.
  2. Click the username for the user that you want to update, or click Edit in the Actions menu for that user..
  3. Update the settings for the user. The settings are the same as when you create a user, with the exception that the password change requirement checkbox is for the next login. For specific information on each setting, see "Create a Splunk Cloud user account" earlier in this topic.
  4. After you have edited the user settings, if you want to save them, click Save. If you don't want to save the changes, click Cancel.

Clone a Splunk Cloud user account

Splunk Cloud administrators can clone a user account. The clone operation creates a new user account with the same settings as the cloned user account, except for the username. The username must be unique for each user account.

  1. Go to Settings > Users.
  2. Click Clone in the Actions column of the user that you want to clone.
  3. Enter a unique username for the user in the Username field.
  4. Optionally, update additional settings. For specific information on each setting, see "Create a Splunk Cloud user account" earlier in this topic.
  5. Click Save.

The new user account appears in the Users page.

Delete a Splunk Cloud user account

Splunk Cloud administrators can delete user accounts.

  1. Go to Settings > Users.
  2. Click Delete in the Action column for the user that you want to delete.
  3. Click OK.

Perform actions on Splunk Cloud users

You can perform several different actions on an existing Splunk Cloud user on the Users page, including but not limited to making edits, cloning, viewing a list of capabilities, and performing a search as the user. These actions are available under the Actions column for each user, and you can access them by clicking the Edit link in that column.

  • To edit a Splunk Cloud user, click Edit. The "Edit User" page appears. See "Change a Splunk Cloud user account" later in this topic for editing instructions.
  • To clone a Splunk Cloud user, click Clone. This action takes you through the "Create a Splunk Cloud user account" process to create an identical user.
  • To view all of the capabilities that a Splunk Cloud user has, click View Capabilities. This loads the "View Capabilities" page which lists all of the capabilities that the user has, based on the roles that the user holds.
  • To run a search as a specific Splunk Cloud user, based on the capabilities that user has and the roles that they hold, click Search As. This loads a Search page where you can run a search within the framework of the user's roles and capabilities. The admin user does not have this option because it has all capabilities by default.
  • To delete a Splunk Cloud user, click Delete. Splunk Cloud confirms whether or not you want to delete the user.

Manage Splunk Cloud roles

Each user account is assigned one or more roles. Roles give users permissions to perform tasks in Splunk Cloud based on the capabilities assigned to the role. To manage roles, you must be a Splunk Cloud administrator. Do not edit the predefined roles that are provided by Splunk Cloud. Instead, create custom roles that inherit from the built-in roles, and then modify the custom roles as required.

Do not delete or edit the Splunk Cloud system user roles: admin, app-installer, index-manager, internal_ops_admin, and internal_monitoring. Splunk uses these system user roles to perform essential monitoring and maintenance activities. See the section System User Roles in this topic for more information.

Use roles to:

  • Restrict the scope of searches.
  • Inherit capabilities and available indexes from other roles.
  • Specify user capabilities.
  • Set the default index or indexes to search when no index is specified.
  • Specify which indexes to search.

For more information about capabilities in user roles, see About defining roles with capabilities and List of capabilities in the Securing Splunk Enterprise manual.

Create roles in managed Splunk Cloud deployments

  1. Go to Settings > Roles.
  2. Click New Role.
  3. Enter a name in the Name field.
  4. Complete the rest of the New role form. See "Complete the New Role form" later in this topic for specific instructions.
  5. Click Save.

Create roles in self-service Splunk Cloud deployments

  1. Log into Splunk Cloud and go to Settings > Roles.
  2. Click New Role.
  3. Enter a unique name in the Name field.
  4. Go to the Splunk Customer Portal and click manage product roles.
  5. Click Add new.
  6. Enter the name of the custom role that you created in Splunk Cloud and click the Save button.

Complete the New Role form

When you add or edit a role in Splunk Cloud, you have several options with which to configure the role. There is no requirement to make any of these changes.

Specify role inheritance

Use the 1. Inheritance tab to add or change the inheritance of existing roles.

  1. Click 1. Inheritance to display the contents of the Inheritance tab.
  2. (Optional) In the Role Name text box, type in characters to display roles whose names contain those characters.
  3. (Optional) Click the All column header to select from a menu of display options for roles: "Show selected", "Show unselected", or "Show all".
  4. (Optional) Click the checkbox next to an existing role from which you want this role to inherit. You can click multiple checkboxes, or select all existing roles by clicking the checkbox in the column header.

Specify role capabilities

Use the 2. Capabilities tab to add or change the capabilities that this role holds.

  1. Click 2. Capabilities to display the contents of the Capabilities tab.
  2. (Optional) In the Capability Name field, type in a string to display capability names that contain the string.
  3. (Optional) Click the All column header to select from a menu of display options for capabilities: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
  4. Click the checkbox next to the capabilities that you want to assign to this role.
  5. Click Save.

    Capabilities that have been inherited from other roles appear as grayed out and selected. You cannot deselect capabilities that come with inherited roles.

Specify searchable indexes for a role

Use the 3. Indexes tab to choose the indexes that the role can search, and which ones it should search by default.

You can specify both event and metric indexes. You can also specify wildcards that match more than one index. If a user with the role runs a metrics search without a specified index, the search includes results from the default metrics indexes that you assign to the role. You must select at least one index with data here if you want to be able to use the SPL Search Filter generator in the 4. Restrictions tab.

Wildcards let you specify all indexes that match the text you enter. For example, if you specify a wildcard of "index_us*," it captures all existing indexes that begin with index_us. Wildcards that you create appear in the Indexes table in alphabetical order, as selected and default indexes.

You can create multiple wildcards, but they only apply to the current role. You cannot transfer wildcards to other roles; instead you must explicitly create the same wildcard by editing the roles and adding the wildcards there. To delete a wildcard from a role, confirm that the wildcard is neither a selected nor a default index, and save the role.

  1. Click 3. Indexes to display the contents of the Indexes tab.
  2. (Optional) In the Wildcards section, enter a string that contains the * character and specifies the group of indexes you want to search, then click Create.

    You can repeat this action to add more wildcards. If a wildcard already exists, Splunk Web advises you.

  3. (Optional) In the Index Name field, type in a string to display index names that begin with that string.
  4. (Optional) Click the All column header to select from a menu of display options for indexes: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
  5. Click the Included checkbox for an index to include search results from that index for this role.
  6. Click the Default checkbox for an index to include search results from that index when a user that holds this role does not specify an index in their search.

    Indexes from inherited roles appear as grayed out and selected. You cannot deselect indexes that come with inherited roles.

Specify search restrictions for a role

Use the 4. Restrictions tab to limit the scope of search results that return when users with the role run searches. The search filter combines with the base search that users with the role run, based on several factors. The search job returns only the results that arise from the combined search.

For more information on valid syntax to use with the search filter, see "SPL search filter syntax" later in this topic.

  1. Click 4. Restrictions to display the contents of the Restrictions tab.
  2. In the SPL Search filter field, type in a valid SPL string that combines with any base search that a user with this role runs.
  3. (Optional) Use the Search filter SPL generator to create a search filter.
    1. In the Indexed fields and values time range drop down list, choose a time range to search for indexed fields and their associated values.

      For these controls to work, you must have selected at least one index with data in the Indexes tab. Changing the default time of 60 seconds can increase the amount of time it takes to populate the Indexed Fields and Values text boxes.

    2. In the "Indexed fields" text box, do one of the following:
      1. Click on the text box to display a drop-down list box that contains the most common indexed fields that were found, based on the indexes you have selected in the 3. Indexes tab and the time that you specified in the "Indexed fields and values time range" setting. The |walklex search command populates this field.
      2. Enter the name of an indexed field.

      If you select an indexed field that is already present in the SPL search filter, Splunk Web displays a message about possible SPL collisions. Review the filter to confirm that there are no unintended conflicts.

    3. In the "Values" text box, do one of the following:
      1. Click on the text box to display a drop-down list box that shows the top 250 indexed field values that were found, in lexical order, based on the fields you selected in the "Indexed fields" text box.
      2. Enter a custom field value directly. You can also use wildcards.
    4. Use the Concatenation option drop-down list box to determine how the SPL generator adds SPL text that it generates to any existing text in the SPL search filter.
      1. Choose "AND" to add the generated SPL prepended with the AND keyword
      2. Choose "OR" to add the generated SPL prepended with the OR keyword.
      3. Choose "NOT" to add the generated SPL prepended with the NOT keyword.

      If the search filter does not have any text in it, the "Concatenation option" drop-down list box is disabled.

    5. Review the SPL that the SPL generator proposes adding to the SPL search filter.
    6. If you are satisfied with the SPL that has been generated, click Add to SPL search filter. The SPL generator updates the SPL search filter text box with the generated text. If there is already text in the filter text box, the SPL generator appends the generated text. Depending on the concatenation option you chose, the SPL generator adds the text after the "AND", "OR", or "NOT" keyword.
    7. (Optional) If you do not like the SPL that you generated with the SPL generator, you can remove the text that you added by clicking Reset.
    8. (Optional) If you want to see how the search filter can affect search results before you apply it, click Preview search filter results. This action opens a new Search page that shows the results of a search with the current search filter.
    9. The search preview results are an example of what a user with this role might see. Several factors can alter the actual results from what the preview shows.

      The preview makes the assumption that the user holds only this role. While it includes results from inherited indexes, it does not include any search filters that might exist in inherited roles.

Specify default app and search-related limits for a role

In the 5. Resources tab, you can control the default app that a user with this role sees when they log into the Splunk platform. You can also control various search job characteristics and limits.

  1. (Optional) In the Default app dropdown, select the default Splunk app that appears when a user that holds this role logs in.
  2. (Optional) In the Role search job limit section, enter the maximum number of standard searches that this role can run at a time in the Standard search job limit text box.

    To remove search limits, you can enter 0 in this and other search limit text boxes.

  3. (Optional) Enter the maximum number of real-time searches that a user with this role can run at a time in the Real-time search job limit text box.
  4. (Optional) In the User search job limit section, enter the maximum number of standard searches that users can run at a time in the Standard search job limit text box.
  5. (Optional) In the Role search time window limit section, select a time window for searches for this role. Click the drop-down list box to choose from one of "Unset" or "Indefinite" which means no limit, or "Custom time", which exposes a text box where you can enter a time limit in seconds.

    Inherited roles with set search time window can override what you specify here.

  6. (Optional) In the Disk space limit section, enter the amount of disk space that search jobs for this role can take up at a given time in the Standard search limit text box.

Save changes to role configurations

You must save changes to role configurations (including search time restrictions) and restart the Splunk platform before those changes can take effect. If you do not restart, the instance cannot enforce your configurations and restrictions.

  • To save all of the changes you have made and close the dialog box, click Save.
  • If you do not want to save the changes, click Cancel.

    If you click Cancel, you lose any unsaved changes that you have made since you opened the Roles dialog box.

System User Roles

Splunk uses system user roles to perform essential monitoring and maintenance activities.

Do not delete or edit the Splunk Cloud system user roles: admin, app-installer, index-manager, internal_ops_admin, and internal_monitoring.

General abilities of system user roles

The following table provides information about the general abilities of the internal_monitoring and internal_ops_admin system user roles.

internal_ops_admin internal_monitoring
Search internal data x
Search external data
Manage configurations x
Manage authentication
Manage ingestion x
Restart splunk x
Gather internal metadata x x
Last modified on 24 March, 2020
PREVIOUS
Set limits for concurrent scheduled searches
  NEXT
Configure SAML single sign-on (SSO) to Splunk Cloud

This documentation applies to the following versions of Splunk Cloud: 8.0.2001


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters