what are the minimum permissions required to add data to splunk using the http simple receiver http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTinput#receivers.2Fsimple
the example shows the admin user. i created a test user with a role of user and then changed the role to power user. but both return insufficient permissions.
i messed around with a custom user role adding/removing capabilities. but couldn't arrive at the right permission. is there a way to create a user not in the admin role with some minimum set of permissions to add data via the simple http receiver ?
my test attempt is below:
curl -k -u test:test "https://localhost:8089/services/receivers/simple?source=www&sourcetype=web_event" -d "Sun Jul 10 15:56:02 PDT 2011 User vishalp logged in successfully."
<?xml version="1.0" encoding="UTF-8"?>
It seems you will need the "edit_tcp" capability to be able use this endpoint.
It seems you will need the "edit_tcp" capability to be able use this endpoint.
I downvoted this post because a vague answer
Hi kevinanderson
Downvoting should only be reserved for suggestions/solutions that could be potentially harmful to a Splunk environment or goes completely against known best practices. This answer seemed to work for the user who asked the question as it is an accepted answer. Simply commenting with constructive feedback on the post you are concerned with will be more beneficial for the community to learn from.
Some of the most active members in Answers have helped set the standard of how voting etiquette should work in the Splunk community which distinguishes our culture apart from other Q&A forums. Upvote early and often to give credit where it’s due for high-quality posts, comment where you think feedback needs to be given, and only downvote if something potentially dangerous is suggested. If you’re interested in seeing how this voting etiquette was developed, check out this Splunk Answers post: https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html
See docs for more info: http://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/authorizeconf#.5Bcapability::edit_tcp.5D
Additionally, five years later I'd recommend using the HTTP Event Collector instead of mulling over old, more basic features.
Confirmed!
thanks Neeraj. verified. edit_tcp is the way to rest 🙂