Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Any ideas on how to disable outputcsv for users?

the_wolverine
Champion
‎11-14-2018 09:29 AM

Users are using outputcsv which generates the output on our filesystem which they cannot access as non-admins. How can we prevent them from using it (other than stating that fact).

It is dangerous since this output is generated in the same location as working files ($SPLUNK_HOME/var/run/...)

Reference: https://answers.splunk.com/answers/416877/will-csv-files-produced-by-the-outputcsv-command-b.html

outputlookup is allowed so we cannot remove output_file capability.

0 Karma
Reply

sandeeprachuri
Path Finder
‎11-14-2018 11:03 AM

@the_wolverine, You can restrict the users using roles and capabilities from Access controls. The one capability you can remove is "output_file" : Lets the user create file outputs, including outputcsv (except for dispatch=t mode) and outputlookup.

Above is the definition from Splunk docs.

You can also control the user access from local.meta file. Remove write access to those users for a specific file.

Hope this helps.

Thanks,
Sandeep

0 Karma
Reply

the_wolverine
Champion
‎11-14-2018 11:16 AM

Yes, however our users MUST be allowed to outputlookup. So cannot remove this capability.

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎11-14-2018 06:37 PM

Training seems to be your only solution, then.

How exactly do they keep doing "outputcsv"?

Hmm, though now that I've said that, I wonder if there might be a way to disable the command itself? Maybe look into a local commands.conf that ... I'm not sure, redirects "outputcsv" to a broken thing or something?
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Commandsconf

Interesting idea, let me know if that leads you anywhere or if that looks like it might work, but you end up with further questions.

0 Karma
Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...