Splunk Search

Assigning User Permissions to Update Forwarders

bteele
New Member

Is there a way to assign permissions to Splunk users that will allow them access to delete old forwarders from Forwarder Management and rebuild the forwarder assets under Monitoring Console, but not grant them full admin rights to the rest of the system? I'm looking to get granular on the admin permissions, as different shifts will be responsible for updating the forwarders list as servers are commed and decommed.

We're on Splunk Enterprise 7.0.2 with a distributed environment with a dedicated deployment server.

Tags (1)
0 Karma

adonio
Ultra Champion

hello there,

when you say "delete" from forwarder management, do you mean to remove the name of the forwarder that appears as down or not phoned home for a while?
as for the forwarders list under MC, not sure why manually do so as it updates every interval you set ...
can you elaborate a little on your use case and the drive behind it?

0 Karma

bteele
New Member

We have an alert that fires off every hour if any forwarders are "missing" ie not current (out of box "DMC Alert - Missing forwarders").

When a server is decommed in our environment, the client instance in Forwarder Management alerts as not having phoned home. We have to then go in and "delete" the entry in Forwarder Management, and then also rebuild the forwarder assets in Monitoring Console. If we don't do the latter, we continue to get the missing forwarders alert, even if it's been deleted from Forwarder Management.

What I'm looking for are the permissions required to manually complete these two tasks. If the "DMC Forwarder - Build Asset Table" report (which we have enabled) is supposed to clean up the table, then it's not working. If I don't get notified of a decomm, then the forwarder goes missing, and I have to log in to delete it and rebuild. I'm looking to give that ability to others as well.

If there's another functionality available that will automate the process, that'd be great, too. But our previous admin said it had to be done manually.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...