Setup KVStore entries
UXM Desktop Agent groups
Goto Administration -> UXM Desktop Agent -> Endpoint groups and create new group with following info and save it:
Name: All endpoints
Enabled: Checked
IP rule -> Start IP: 0.0.0.0
IP rule -> End IP: 255.255.255.255
Creating roles
uxmapp_user role
Create uxmapp_user role with following settings:
Capabilities: change_own_password, export_results_is_visible, pattern_detect, rest_properties_get, run_collect, run_mcollect, schedule_search, search.
Indexes: All uxmapp_* indexes.
It's also recommended to increase "Standard search limit" to 200 MB to avoid searches from being blocked, if users uses UXM heavily or create custom reports.
Use following limits:
- User search job limit: Standard search limit: 3
- User search job limit: Real-time search limit: 6
- Disk space limit: Standard search limit: 200 MB
uxmapp_admin role
Is allowed to use administration menu in UXM to configure it.
Inheritance: uxmapp_user
Capabilities: Add edit_tcp, output_file and rest_access_server_endpoints, rest of capabilities are inherited.
Splunk user for KVStore access
The Splunk Standalone and Heavy Forwarders needs an user on the Search Head with edit_tcp capabilities to read the KVStore.
Create user on Search Head with following settings:
Name: uxmapp_wsgi
Password: Give it random password and the role uxmapp_admin.
Require password change on next login: De-checked