It’s not realistic for you or your engineering team to be the only group responsible for the successful deployment of your Splunk environment. Splunk offers several levels of permissions that grant access to the stakeholders you’ll want to add. This way, you don’t have to worry about the power of Splunk getting into inexperienced hands. In this article, we’ll show you how to manage your Splunk apps and users as well as guide you on the deployment, configuration, and authentication processes. Let’s get started.
What is a Splunk deployer?
The first step to administering Splunk apps and users is to use the Splunk deployer. According to Splunk, a deployer is a Splunk Enterprise instance that you use to distribute apps and other configuration updates to search head cluster members.
How the Splunk Deployer Works
- A Splunk admin executes a command to apply a new or updated configuration bundle, or
1a. A search head cluster member joins the cluster
2. The search head cluster checks with the deployer for available updates
Deploying new or updated apps has its own set of rules and functions a bit differently.
- Create an app by going to apps > manage apps > create app
- Copy the app directory
- Deploy the configuration bundle with the apply cluster-bundle command
Configuring and Authenticating Splunk Roles and Users
Giving Splunk access to various users in your organization is relatively straightforward. If you have a smaller team of users, you can use the native authentication controls in Splunk, but for larger teams and companies, you’ll find it helpful to use a Security Assertion Markup Language (SAML) or Lightweight Directory Access Protocol (LDAP). We’ll go over each of these methods in this section.
Types of Splunk authentication
Native Splunk Authentication
To access the authentication settings in Splunk, navigate to settings > access controls. From here, you can create a new user and assign their permissions. The most commo permissions you’ll use are:
- Admin: All permissions are included by default except can_delete which can be added manually.
- Power: Ability to schedule searches.
- User: The basic search permissions.
SAML authentication
SAML authentication allows you to use single-sign on (SSO) supported by information from your identity provider (IdP). To configure SAML, navigate to settings > access controls > authentication method and select SAML. From here, you’ll want to work with the person responsible for SAML within your orginzation to retrieve the correct configuration settings.
LDAP authentication
To authenticate users in the Splunk Cloud Platform, you’ll want to use the LDAP scheme. Before entering the settings for LDAP, Splunk recommends that you complete these three steps first:
- Create an LDAP strategy
- Map LDAP groups to Splunk roles
- Specify the connection order of LDAP servers (if you have multiple servers)
Once you have this completed, navigate to settings > access controls > authentication method and choose LDAP. Just like when setting up SAML, you’ll need to work with your LDAP admin for the correct settings and bind DN password.
These are the basics of managing Splunk apps and users. With this knowledge under your belt, you can begin onboarding your team and stakeholders to your Splunk environment.
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: a customized report to show you where your Splunk environment is excelling and opportunities for improvement. Once you download the app, you’ll get your report in just 30 minutes.
