This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2
Splunk comes pre-configured with all the capabilities you need to run the software. For a list of Splunk's built-in capabilities, see Documentation:preview:AuthorizeConf:latest.
Note: this list is under flux. Capabilities may change frequently during the development process.
You may wish to add your own capability. Currently, the only capabilities you can add are to run scripts you have created and placed in $SPLUNK_HOME/bin.
To add a capability to authorize.conf:
authorize.conf file in $SPLUNK_HOME/etc/bundles/local (or your own bundle directory).
capability::$CAPABILITY tag to the beginning of the file.
$CAPABILITY
run_script_$SCRIPT
We have created the script loglady.py and copied it into $SPLUNK_HOME/bin.
To add a capability to run this script, add the following line to the top of $SPLUNK_HOME/etc/bundles/local/authorize.conf:
capability::run_script_loglady
Note: leave off the suffix of the script when setting up your capability.
Now, add the capability to whatever role you want:
[role_Ninja] run_script_loglady = enabled edit_input = enabled delete_input = enabled edit_global_save_search = enabled delete_global_save_search = enabled create_alert = enabled start_alert = enabled start_global_alert = enabled stop_alert = enabled stop_global_alert = enabled save_local_eventtype = enabled edit_role_search = enabled edit_local_search = enabled edit_saved_search = enabled savesearch_tab = enabled allow_livetail = enabled importRoles = Security;Compliance srchFilter = host=swan OR host=pearl