@tweaktubbie
can the sap_user and sap_only role be left out, or does the app or functionality require those?
Yes they can, so long as you ensure that the user performig the searches has
1. access to the index
2. has the index in their list of indexes to search by default
If you skip this then you need to play with the savedsearches which is possib le but more complex
can the creation of sap_upload user be skipped on Splunk side, and on SAP another 'non personal account' credential be used which of course has to exist on splunk side as well?
This is only required for restAPI access, we fully support injecting data via HTTP Event Collected (HEC) for this you only need the HEC token to be setup correctly.
previous question is because of the fact the default installation instructions state you have to assign the admin role - this is not desirable especially because the credentials would also give log on possibilities on the whole system for that account.
This is only required for restAPI, if you use the HEC token this is no longer necessary.
... View more