All Apps and Add-ons

Best strategy for user isolation?


Is there a way to completely isolate a user, so that they can only see themselves as a user and only their host - no other hosts, users, or apps?

Can this be done in the Search app or would it have to be a custom app build, and if so would it have to be one per user?

Splunk Employee
Splunk Employee

It can't be easily done in the search app without significant modification, so that it would pretty much become a custom app anyway.

Splunk doesn't really cater for per-user settings and permissions, instead it's geared towards roles for groups of users. If every user has individual data requirements, and you need them to be strict enough so that users can only see their data and nothing else, then you'll likely end up with a role for each user, and an app for each role.

0 Karma


Yes, this is possible with some planning.

By default, a non-Admin Splunk user will not be able to see other users.

You can configure a custom role that is only able to access a custom index which accepts only data for a certain host.

You can also prevent apps from being viewable by certain roles by setting App permissions in UI or by editing default.meta:

Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...