All Apps and Add-ons

Best strategy for user isolation?


Is there a way to completely isolate a user, so that they can only see themselves as a user and only their host - no other hosts, users, or apps?

Can this be done in the Search app or would it have to be a custom app build, and if so would it have to be one per user?

Splunk Employee
Splunk Employee

It can't be easily done in the search app without significant modification, so that it would pretty much become a custom app anyway.

Splunk doesn't really cater for per-user settings and permissions, instead it's geared towards roles for groups of users. If every user has individual data requirements, and you need them to be strict enough so that users can only see their data and nothing else, then you'll likely end up with a role for each user, and an app for each role.

0 Karma


Yes, this is possible with some planning.

By default, a non-Admin Splunk user will not be able to see other users.

You can configure a custom role that is only able to access a custom index which accepts only data for a certain host.

You can also prevent apps from being viewable by certain roles by setting App permissions in UI or by editing default.meta:

Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out >> Kudos to all the ...