Create and manage roles with Splunk Web
On the Splunk platform, as an administrator, you can assign roles to users. These roles determine the level of access that those users have to the platform and the tasks that they can perform on the platform. Splunk Enterprise comes with a set of default roles, and you can also create your own custom roles that you can tailor to the needs of your organization.
Roles can contain one or more capabilities that provide access to specific parts of the Splunk platform. A user that holds a role receives all of the capabilities that come with the role. Additionally, roles can inherit capabilities from other roles.
You can use roles for the following security-related tasks:
- To restrict the scope of searches.
- To inherit capabilities and available indexes from other roles.
- To specify user capabilities.
- To set the default index or indexes that a user is to search when they do not specify an index in their search command.
- To specify which indexes that a user can search.
Do not edit any predefined roles to remove capabilities from them. The sc_admin role does not have enough permission to restore some of the capabilities you remove. Instead of deleting or editing the predefined roles, create custom roles that inherit from the predefined roles, and use and edit the custom roles as you need.
For more information about capabilities in user roles, see About defining roles with capabilities and List of capabilities
Manage role inheritance, searched indexes, restrictions, and available search resources
You use the "Roles" page in Splunk Web to create, manage, and delete roles. When you perform role management, you can modify the following role properties:
- You can manage role inheritance. See "Specify role inheritance" later in this topic.
- You can manage the indexes that a role has available to it, as well as which indexes the Splunk platform searches by default. See "Specify searchable indexes for a role" later in this topic.
- You can apply a search filter to further limit search results. You can either specify the filter manually or use the search filter generator - a wizard that lets you build and populate the filter by using indexed fields and values found in those indexes. See "Specify search restrictions for a role" later in this topic.
- You can control resource usage on the platform in several ways. See "Specify default app and search limits for a role" later in this topic:
- You can limit disk space usage for search artifacts.
- You can limit the number of searches that the role as a whole can run, and the number of searches that users who hold the role can run individually
- You can specify the earliest time that a search can return results, which means you can limit results by the age of the data
- You can limit searches to return results in a specific time window.
 
While you can have any role inherit from any other role, custom roles that inherit from the admin or power users roles do not automatically inherit administrator-level access to the instance. You must grant that access specifically.
- For more information about roles and how they inherit capabilities and permissions, see About configuring role-based user access.
- For information about granting management access to custom roles, see Add access controls to custom roles.
- For more information about role inheritance, see Role inheritance in the About configuring role-based user access topic.
- For more information about how capabilities work, as well as the full list of capabilities, see About defining roles with capabilities.
Add or edit a role
Create or edit roles for your Splunk Enterprise instance on the Roles page in Settings.
- Click Settings > Roles.
- Click New Role to create a new role, or click an existing role to edit it.
- Enter a name for your role.Note: Role names must use lowercase characters only. They cannot contain spaces, colons, or forward slashes. You cannot edit the names of existing roles.
- Make adjustments to role settings by editing configurations in any of the tabs in this dialog box.
- After you have made the configuration changes that you want, click Save to save the role.
Specify role inheritance
Use the 1. Inheritance tab to add or change the inheritance of existing roles.
- Click 1. Inheritance to display the contents of the Inheritance tab.
- (Optional) In the Role Name text box, type in characters to display roles whose names contain those characters.
- (Optional) Click the All column header to select from a menu of display options for roles: "Show selected", "Show unselected", or "Show all".
- (Optional) Click the checkbox next to an existing role from which you want this role to inherit. You can click multiple checkboxes, or select all existing roles by clicking the checkbox in the column header.
Specify role capabilities
Use the 2. Capabilities tab to add or change the capabilities that this role holds.
- Click 2. Capabilities to display the contents of the Capabilities tab.
- (Optional) In the Capability Name field, type in a string to display capability names that contain the string.
- (Optional) Click the All column header to select from a menu of display options for capabilities: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
- Click the checkbox next to the capabilities that you want to assign to this role.
-  Click Save. Note: Capabilities that the current role has inherited from other roles appear as grayed out and selected. You cannot deselect capabilities that come with inherited roles.
Specify searchable indexes for a role
Use the 3. Indexes tab to choose the indexes that the role can search, and which ones it should search by default.
You can specify both event and metric indexes. You can also specify wildcards that match more than one index. If a user with the role runs a metrics search without a specified index, the search includes results from the default metrics indexes that you assign to the role. You must select at least one index with data here if you want to be able to use the SPL Search Filter generator in the 4. Restrictions tab.
Wildcards let you specify all indexes that match the text you enter. For example, if you specify a wildcard of "index_us*," it captures all existing indexes that begin with index_us. Wildcards that you create appear in the Indexes table in alphabetical order, as selected and default indexes. 
You can create multiple wildcards, but they only apply to the current role. You cannot transfer wildcards to other roles; instead you must explicitly create the same wildcard by editing the roles and adding the wildcards there. To delete a wildcard from a role, confirm that the wildcard is neither a selected nor a default index, and save the role.
- Click 3. Indexes to display the contents of the Indexes tab.
-  (Optional) In the Wildcards section, enter a string that contains the *character and specifies the group of indexes you want to search, then click Create.Note: You can repeat this action to add more wildcards. If a wildcard already exists, Splunk Web advises you.
- (Optional) In the Index Name field, type in a string to display index names that begin with that string.
- (Optional) Click the All column header to select from a menu of display options for indexes: "Show native", "Show inherited", "Show selected", "Show unselected", or "Show all".
- Click the Included checkbox for an index to include search results from that index for this role.
-  Click the Default checkbox for an index to include search results from that index when a user that holds this role does not specify an index in their search. Note: Indexes from inherited roles appear as grayed out and selected. You cannot deselect indexes that come with inherited roles.
Specify search restrictions for a role
Use the 4. Restrictions tab to limit the scope of search results that return when users with the role run searches. The search filter combines with the base search that users with the role run, based on several factors. The search job returns only the results that arise from the combined search.
For more information on valid syntax to use with the search filter, see "SPL search filter syntax" later in this topic.
- Click 4. Restrictions to display the contents of the Restrictions tab.
- In the SPL Search filter field, type in a valid SPL string that combines with any base search that a user with this role runs.
- (Optional) Use the Search filter SPL generator to create a search filter. - In the Indexed fields and values time range drop-down list, choose a time range to search for indexed fields and their associated values. Note: For these controls to work, you must have selected at least one index with data in the Indexes tab. Changing the default time of 60 seconds can increase the amount of time it takes to populate the Indexed Fields and Values text boxes, but might be necessary to retrieve a comprehensive list of indexed fields.
- In the "Indexed fields" text box, do one of the following: - Click on the text box to display a drop-down list box that contains the most common indexed fields that were found, based on the indexes you have selected in the 3. Indexes tab and the time that you specified in the "Indexed fields and values time range" setting. The |walklexsearch command populates this field.
- Enter the name of an indexed field.
 Note: If you select an indexed field that is already present in the SPL search filter, Splunk Web displays a message about possible SPL collisions. Review the filter to confirm that there are no unintended conflicts.
- Click on the text box to display a drop-down list box that contains the most common indexed fields that were found, based on the indexes you have selected in the 3. Indexes tab and the time that you specified in the "Indexed fields and values time range" setting. The 
- In the "Values" text box, do one of the following: - Click on the text box to display a drop-down list box that shows the top 250 indexed field values that were found, in lexical order, based on the fields you selected in the "Indexed fields" text box.
- Enter a custom field value directly. You can also use wildcards.
 
- Use the Concatenation option drop-down list box to determine how the SPL generator adds SPL text that it generates to any existing text in the SPL search filter. - Choose "AND" to add the generated SPL prepended with the ANDkeyword
- Choose "OR" to add the generated SPL prepended with the ORkeyword.
- Choose "NOT" to add the generated SPL prepended with the NOTkeyword.
 Note: If the search filter does not have any text in it, the "Concatenation option" drop-down list box is disabled.
- Choose "AND" to add the generated SPL prepended with the 
- Review the SPL that the SPL generator proposes adding to the SPL search filter.
- If you are satisfied with the SPL that has been generated, click Add to SPL search filter. The SPL generator updates the SPL search filter text box with the generated text. If there is already text in the filter text box, the SPL generator appends the generated text. Depending on the concatenation option you chose, the SPL generator adds the text after the "AND", "OR", or "NOT" keyword.
- (Optional) If you do not like the SPL that you generated with the SPL generator, you can remove the text that you added by clicking Reset.
- (Optional) If you want to see how the search filter can affect search results before you apply it, click Preview search filter results. This action opens a new Search page that shows the results of a search with the current search filter.
 Note: The search preview results are an example of what a user with this role might see. Several factors can alter the actual results from what the preview shows. The preview makes the assumption that the user holds only this role. While it includes results from inherited indexes, it does not include any search filters that might exist in inherited roles. If, on Splunk Enterprise, you have configured the instance so that search filters for a role eliminate, rather than select results, actual results might be the opposite of what you see in the preview. ThesrchFilterSelectingsetting in theauthorize.confconfiguration file controls whether search filters select or eliminate results. ThesrchFilterSelectingsetting istrueby default, which means that search filters select the results that the user can see. Afalsevalue configures search filters to eliminate results.
- In the Indexed fields and values time range drop-down list, choose a time range to search for indexed fields and their associated values. 
Save changes to role configurations
You must save changes to role configurations, including search time restrictions, and restart the Splunk platform before those changes can take effect. If you do not restart, the instance cannot enforce your configurations and restrictions.
- To save all of the changes you have made and close the dialog box, click Save.
-  If you do not want to save the changes, click Cancel.Note: If you click Cancel, you lose any unsaved changes that you have made since you opened the Roles dialog box.
For more information about restarting the Splunk platform, see Start and stop Splunk Enterprise in the Admin Manual.
SPL search filter syntax
The SPL search filter field in the 4. Restrictions tab accepts any of the following search terms:
- 
          source::
- 
          host::
- 
          index::
- 
          sourcetype::
- eventtype=or- eventtype::
- The keywords AND,OR, orNOT
- Search fields
You can enter SPL manually into the SPL search filter text box, or use the SPL generator to create SPL for the search filter based on fields and field values that you have indexed.
You can use wildcards. Use OR to allow multiple terms, or AND to make the filter more restrictive.
Caveats to using the SPL search filter
The search terms cannot include any of the following:
- Saved searches
- Time operators
- Regular expressions
- Subsearches
- Macros
- The inputlookupcommand
- Any fields or modifiers that you can override from the Splunk Web search bar
Usage of search filter syntax
When you specify search term filters, use the key::value syntax, rather than key=value, where possible, to restrict search terms to indexed fields. If you specify the key=value syntax as part of a filter, the search filter dialog box warns you that usage of the = operator can result in poor search performance for users who hold the role. Also, it is not secure to use the operator because filters with the operator can be bypassed by user knowledge objects.
If you attempt to add an indexed field that already exists in the current search filter, the page warns you that the indexed field already exists to ensure that you have no unintended SPL conflicts in the search filter.
For search filters with metrics data, use the key=value to specify search restrictions to metrics fields. This is because the key::value syntax does not work for searches over metrics data. In this case, you can safely disregard syntax warnings about the = operator that the search filter dialog box presents.
mpreview command on those indexes.System User Roles
The Splunk platform uses system user roles to perform essential monitoring and maintenance activities.
The Splunk platform uses the Admin role and system user roles to perform essential monitoring and maintenance activities. You might observe the Admin and system user roles authenticating into your Splunk Cloud Platform environment as part of the platform performing monitoring and maintenance activities. The platform performs these activities in accordance with a comprehensive security program designed to protect the confidentiality, integrity, and availability of your data.
In addition to these user roles, the Splunk platform also uses ephemeral system user roles to perform essential monitoring and maintenance activities. Ephemeral system user roles begin with the prefix int_, and you can use the following search command to audit those users.
index=_audit user=int* "login attempt"General abilities of system user roles
The following table provides information about the general abilities of the internal_* system user roles.
| internal_ops_admin | internal_automation, internal_monitoring, internal_observability | |
|---|---|---|
| Search internal data | x | |
| Search external data | ||
| Manage configurations | x | |
| Manage authentication | ||
| Manage ingestion | x | |
| Restart the Splunk platform | x | |
| Gather internal metadata | x | x |