Field Extraction Restriction

rashi83 · ‎08-23-2019

Hi,
I want to restrict field extraction capability to users in Splunk system. I want to provide this capability just to Admin users.
If this is not possible , can users create private extractions and only admin can make them global - just trying to put control around the splunk system,

thoughts?

solarboyz1 · ‎08-23-2019

can users create private extractions and only admin can make them global

This is exactly how it works. As long as the users do not have write access to the apps, they will only be able to create private objects.

rashi83 · ‎08-28-2019

@solarboyz1 -What is the name of capability that can control write access to the apps? Could you please share

solarboyz1 · ‎08-28-2019

Its not a capability, it's permissions on the app.

App dropdown -> Manage Apps -> {Selected App} Permissions

It lists the roles, and if the have read and/or write permissions.

rashi83 · ‎08-28-2019

thanks , so I have READ permission to Everyone and Write permission to Admin and Power user only.
But Still I see "normal user" can create global field extractions.

solarboyz1 · ‎08-28-2019

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Apparchitectureandobjectownership

To make an object global the user requires the capability:

admin_all_objects capability

Field Extraction Restriction

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases