set up an account for splunk developer

rajul_jain · ‎07-09-2015

In our Splunk infra, we have so many developers creating objects. We had just faced a problem when few number of employee left organization and their alerts stopped working as the owner(employee) id was disabled from active directory. Also objects were created using own id's.
We thought of creating a group contains all the developers and share the password with all. So that none of the object will be disabled after user/developer leave company. We did not find it optimal from security point of view. Can anyone suggest for this issue?

acharlieh · ‎07-09-2015

So as I'm sure you've found, a Splunk Admin can change Ownership of objects through the REST API as detailed in this answer

So simple options include either be part of the off boarding process and transfer ownership of Splunk objects to another employee. OR have a process by which Splunk objects are "promoted" to be owned by a generic user that no one has to log in as.

At my company I'm pushing to moving to the idea that developers can work within test apps / environments all they want, but to go to production, they need to package custom Splunk App(s) which are managed in source control, peer-reviewed, and installed in appropriate environments by our configuration management solution (Chef). But that's going to take a while to get there 🙂

alacercogitatus · ‎07-13-2015

Agreed. I'm actually working on a version controlled, Continuous integration environment for a client. No direct updates on the Splunk environment. 😄

set up an account for splunk developer

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases