While many users log into Splunk and the Cisco CDR Reporting and Analytics app with administrative privileges, this is not always the case.  This page attempts to answer two main questions:

  1. When running as a “standard” user, what limitations on functionality are there?
  2. What is the minimum set of capabilities to make each page/section work?

With those two questions in mind, let’s dig in.

What works under a standard “user” role?

The short answer is “nearly everything”.

The longer answer is that the standard user role has, among other capabilities, input_file, output_file and search.  These together comprise more than 95% of the functionality of the app, and more than 99% of the “daily use” type stuff.  This includes

  • searching,
  • browsing calls,
  • browsing extensions,
  • general reporting,
  • building dashboards and sharing them…

Or in other words, all those things you do on a daily or weekly basis.

OK, so tell me about the exceptions!

Home page, FIRST TIME launch only:

The first time you launch the app, if you have no data it detects this situation and attempts to build an input for you. 

IF – and only if! – you are using a local directory as your input folder and have to configure that, you will find that a regular user can’t create the input.  If you are using a Universal Forwarder to set up your data inputs, then this is not a problem – simply set up your data inputs and once you have data in the system you will no longer get prompted to set up the input locally.

Recommended Solution:

  • Launch “Home” as an administrative user this first time, if you need the input built there.
  • Otherwise set up the Universal Forwarder and start sending in data.  When you relaunch “Home” as a regular user it will now skip the input steps.

Since this is only done once (typically), this may be a perfectly valid time to use admin credentials, or to have your Splunk admins perform this step.

Alternate Solution:

  • Have an administrator add capability edit_monitor to a new role and add that role to your user.

This role can be removed once the initial inputs are created.  It should not be needed on an ongoing basis, only during initial setup.

Scheduling 911 or other alerts

In your environment it may or may not be used, but the idea is that the standard user role does not contain the capability schedule_search and thus the 911 alerts can’t be enabled specifically, nor can other alerts be scheduled generally.

Recommended Solution:

  • Have an administrator add capability schedule_search to a new role and add that role to your user.

This is the recommended solution because those alerts often need adjustment even after initial creation.  There is a caveat: the capability schedule_rtsearch is included in  standard user role, but is ignored until schedule_search is added.   Since schedule_rtsearch is not useful in the Cisco CDR app, that  capability could be removed with no repercussions although it’ll take juggling of custom roles to do so, so perhaps isn’t worth the effort for most people.  Still, if you understood the above paragraph, you can probably make this happen.  If you didn’t, then don’t worry about it.

Run health checks

This page requires a additional capabilities, and these rights are subject to change occasionally as we add better self-diagnostics to the app.  Fortunately it doesn’t generally require being run except occasionally by administrators.

Recommended Solution:

  • Run this page as administrator.

Due to the changing nature of the page and the additional rights that may be needed as we built better diagnostics into the app, it may be easiest to just have an administrator check this page on a weekly basis, or as needed.

Alternate Solution:

While subject to change as the app’s self-diagnostic features are expanded, at this time the known list of capabilities needed for a user to run the health-check page is as follows:

  • TODO

Some capabilities that are NOT needed

Due to an apparent bug we’ve found in Splunk, a directive in the commands | rest ... splunk_server=local which tells Splunk to keep the REST command located on this search head is not honored when the command is run in a subsearch.  In that case, there can be a spurious warning:

REST Processor: Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.

This is cosmetic only.  We attempt to capture and filter out that warning inside our app when found, but that’s not always perfect.  Meanwhile we’ll be confirming and raising the bug with Splunk, so hopefully they’ll fix this down the road.

Other User Considerations

Disk Quota

As an admin you have a 10,000 MB disk quota but the default user role only has a 100MB disk quota.  It is possible to bump into that size limit on many pages causing a warning and cancelled searches.

Recommended Solution

  • Increase the disk quota value to at least 250MB.

Our testing shows that’s enough … for our testing.  It might be enough in most environments, but we’d love feedback on where you ended up setting yours!

The Wrapup

To make the recommended changes so users have an increased disk quota, can schedule_alerts and optionally can run the first-time Home data load, follow these steps.  We will also set a few other minor things which will improve their experience.

First, create the new role.

  • In the Splunk interface Click Settings, then under section Users and Authentication, click Access controls
  • Click Roles
  • Create a new role with the Role name “Rights for Cisco CDR”
  • To change the default app that launches when they log in:
    • Change the Default app to cisco_cdr
  • To slightly increase the default of 3 concurrent searches to 6:
    • In User-level concurrent search jobs limit type “6”
  • To change the default 100 MB (too low) disk quota:
    • Into Limit total jobs disk quota, put “250” or “500”.
  • To add the ability to schedule searches:
    • In section Capabilities, find schedule_search
    • Click on it to to add it to Selected Capabilities.
  • To add the ability to complete the first time run data load, if necessary (and more optional than the other steps, see discussion above)
    • In section Capabilities, find edit_monitor
    • Click on it to to add it to Selected Capabilities.

Second, apply that role to users.

  • In the Splunk interface Click Settings, then under section Users and Authentication, click Access controls
  • Click Users
  • Find and edit the user you wish to change — OR — Click New User
  • If creating a new user:
    • Fill out the top section with Name (the login id), Full name, password and so on.
  • For all users (new and editing existing):
    • Scroll down to the Assign to role section
    • Confirm “user” is on the “Selected item(s)” side, if not click on it to add it.
    • Add “Rights for Cisco CDR” by clicking on it.
  • Save.

And that should be all that’s needed.

 





If you have any comments at all about the documentation, please send it in to docs@sideviewapps.com.