Our Splunk environment has multiple indexes, with role restrictions on index access.
I want to allow users to upload files in a fashion similar to Manager > Data Inputs > Files & Directories > Add New using the 'upload a local file' option.
They should only be able to upload local files (no Splunk server files should be input), and only to indexes they are allowed access to.
The authorization capabilities doesn't seem to allow for only this.
I'd be happy with a REST or UI based solution to this conundrum.
Is this possible?
Unfortunately not. Adding inputs requires the "edit_monitor" capability, which is independent of role-restricted indexes.
Unfortunately not. Adding inputs requires the "edit_monitor" capability, which is independent of role-restricted indexes.