User Interface

Question	Answer
Why can’t my team-mates see my Report or Dashboard (or field extraction or other object)?	Splunk defaults to saving objects as “Private”. In the “Display for” part of the permissions screen for your object (dashboard, report, field extraction, etc.), be sure to select “App” so that others who have access to your app can see the item. Note that if you want an object (such as a lookup or field extraction) to be available across apps, it must be made “Global” (I.e., Display for All Apps). If you are not able to set an object to Global, please contact us for assistance.
How do I know what I have access to?	To see all of the indexes and apps you have access to — along with all of your role assignments for your account — please visit our custom “Illinois Homepage for Splunk” app. Users who have role of “Data Manager” can get additional information from the “Splunk Data Manager – Illinois” app.
What is the time zone setting for Splunk?	By default, all accounts in our Splunk environment (at Illinois) should be set (upon creation) to Central Time (America, Chicago). You can confirm (or change) your time zone setting in the “Preferences” screen, which is available as a drop-down from your username in the top bar of Splunk. NOTE: Splunk’s “Time” (or _time) value takes in to account a) the time zone of the original event as it was interpreted upon ingest and b) your account’s current timezone setting, and presents time value accordingly. This is why you may (and often should) see discrepancies between the raw timestamp in the event and the “time” value Splunk displays: they may not share the same time zone. (It is a recommended practice for events to have timestamps in UTC/GMT.)
There are a lot of apps in the app menu. Can I change what shows up in my apps menu – or change the order?	While users cannot directly control which apps appear in the app menu, if you feel you are seeing something you shouldn’t, or not seeing something you should, please contact us. To change the order of apps showing up for you, visit the “Launcher” app and then drag and drop apps in the left pane. These app order changes will be specific to your account.

Security / Access Control

Question	Answer
Who has (or will have) access to my data in Splunk? Does (or Will) “Security” have access to my data?	The quick answer is… You (your team) will have control over who has access to your data. You (your team) will have specified who has access when the service was set up, you (your team) can be granted delegation privileges to control access to your indexes and apps. The longer answer is… We appreciate and applaud any group’s sense of professional responsibility for their data. The Security team and the Splunk team believe that aggregating your systems’ data in to a single log analysis platform will help you and anyone else involved to detect, respond to, minimize, and even prevent security incidents. Bringing your data in to Splunk will advance the institution’s Security Maturity index. (Reference IT Security Standard 4.6.1.) Visibility and Control of Access to Data and Analyses of the Data You (your team) will have not only the ability to see who has access to your Splunk assets, you (your team) can be delegated the responsibility to maintain the membership of the groups which control that access. Exceptions: Beyond the groups used to grant access, there are two groups who will always need “incidental access” to content in Splunk (in accordance with II.D.4 of Appropriate Use of Computers and Network Systems): Splunk System Administrators in order to perform their administrative tasks. Members of the technical teams (including supervisors up through the CISO) that support Security Threat Response. Other mitigating factors: All access to data in Splunk will be logged by Splunk. All changes to groups managing access to Splunk assets will be logged by Splunk. Concerns or Questions? If you or your unit have any concerns or further questions about the above, please contact us to discuss your specific use case(s).
I’m confused by all of the different ‘roles’. What do I need to know?	To get started, all we need is a single person to play the role of “Data Manager”. All other roles can be added (populated) as needed. Our experience with the evolution of needs of teams has led us to implement a templated structure to facilitate the most common use cases (and evolution of needs). Consequently, we stage groups/roles for the anticipated evolution of needs, even if that evolution doesn’t occur. “Templated” roles include the following – the ones in bold are the most common / elemental … Data Manager – Most extensive set of privileges. Includes access to all relevant indexes and team and technology apps. Analyst – Most common role. Includes access to all relevant production indexes of team and write privileges to team (and possibly technology-specific) apps. Developer – Similar to Analyst role but implies access to test/dev indexes only. Useful for software developers or service owners who need to test changes to the technology sending events to Splunk. If developers need access to “prod” indexes, they can/should be added as “Analyst” or “User” roles as appropriate. User – Includes access to relevant production indexes of team and read access to team and technology-specific apps. Viewer – Includes access to a particular team (or technology) app and/or assets with an app – often used for granting access to persons beyond the “team” including “VIPs” (executives). Implies no specific access to indexes (other than indexes open to all users such as “general-weather” and sandbox indexes). (Provide link to a) diagram of Splunk permissions structure, ~~b) description of templated (and delegable) role structure in Grouper,~~ ~~c) a description of how (and which) roles are to be used in permissions screens within Splunk.~~)
I’m confused by what role I should assign privileges to for the objects I own/create in my app. What should I use?	When you assign permissions in Splunk, as of this writing, you’ll only be able to see roles that you are also a member of. (This is undesirable and an enhancement request has been submitted.) Consequently, we may need to add you (and others who may be responsible for managing permissions within Splunk) to additional (permissions target) roles. When assigning permissions to objects within an app, please use the roles with the “app” prefix. If you need additional “app” roles, please let us know; we can work with you to establish more ‘app’ roles to suit your needs. The basic (templated) app role permissions are “write” (implied by “Data Manager”, “Developer”, and “Analyst” roles) and “read” (implied by “User” & “Viewer” roles) – but many use cases require additional “app” roles for more differentiated access to objects within an app.

Question

Answer

Who has (or will have) access to my data in Splunk? Does (or Will) “Security” have access to my data?

The quick answer is… You (your team) will have control over who has access to your data. You (your team) will have specified who has access when the service was set up, you (your team) can be granted delegation privileges to control access to your indexes and apps.

The longer answer is… We appreciate and applaud any group’s sense of professional responsibility for their data. The Security team and the Splunk team believe that aggregating your systems’ data in to a single log analysis platform will help you and anyone else involved to detect, respond to, minimize, and even prevent security incidents. Bringing your data in to Splunk will advance the institution’s Security Maturity index. (Reference IT Security Standard 4.6.1.)

Visibility and Control of Access to Data and Analyses of the Data

You (your team) will have not only the ability to see who has access to your Splunk assets, you (your team) can be delegated the responsibility to maintain the membership of the groups which control that access.

Exceptions:

Beyond the groups used to grant access, there are two groups who will always need “incidental access” to content in Splunk (in accordance with II.D.4 of Appropriate Use of Computers and Network Systems):

Splunk System Administrators in order to perform their administrative tasks.
Members of the technical teams (including supervisors up through the CISO) that support Security Threat Response.

Other mitigating factors:

All access to data in Splunk will be logged by Splunk.
All changes to groups managing access to Splunk assets will be logged by Splunk.

Concerns or Questions?

If you or your unit have any concerns or further questions about the above, please contact us to discuss your specific use case(s).

I’m confused by all of the different ‘roles’. What do I need to know?

To get started, all we need is a single person to play the role of “Data Manager”. All other roles can be added (populated) as needed. Our experience with the evolution of needs of teams has led us to implement a templated structure to facilitate the most common use cases (and evolution of needs). Consequently, we stage groups/roles for the anticipated evolution of needs, even if that evolution doesn’t occur.

“Templated” roles include the following – the ones in bold are the most common / elemental …

Data Manager – Most extensive set of privileges. Includes access to all relevant indexes and team and technology apps.
Analyst – Most common role. Includes access to all relevant production indexes of team and write privileges to team (and possibly technology-specific) apps.
Developer – Similar to Analyst role but implies access to test/dev indexes only. Useful for software developers or service owners who need to test changes to the technology sending events to Splunk. If developers need access to “prod” indexes, they can/should be added as “Analyst” or “User” roles as appropriate.
User – Includes access to relevant production indexes of team and read access to team and technology-specific apps.
Viewer – Includes access to a particular team (or technology) app and/or assets with an app – often used for granting access to persons beyond the “team” including “VIPs” (executives). Implies no specific access to indexes (other than indexes open to all users such as “general-weather” and sandbox indexes).

(Provide link to a) diagram of Splunk permissions structure, ~~b) description of templated (and delegable) role structure in Grouper,~~ ~~c) a description of how (and which) roles are to be used in permissions screens within Splunk.~~)

I’m confused by what role I should assign privileges to for the objects I own/create in my app. What should I use?

When you assign permissions in Splunk, as of this writing, you’ll only be able to see roles that you are also a member of. (This is undesirable and an enhancement request has been submitted.) Consequently, we may need to add you (and others who may be responsible for managing permissions within Splunk) to additional (permissions target) roles.

When assigning permissions to objects within an app, please use the roles with the “app” prefix. If you need additional “app” roles, please let us know; we can work with you to establish more ‘app’ roles to suit your needs. The basic (templated) app role permissions are “write” (implied by “Data Manager”, “Developer”, and “Analyst” roles) and “read” (implied by “User” & “Viewer” roles) – but many use cases require additional “app” roles for more differentiated access to objects within an app.

Timestamps

Question	Answer
How should I format timestamps in my events?	The short answer is consider using ISO 8601. For more, please read our article, “Guidance on implementing timestamps in your events“.