Best strategy for user isolation?


Is there a way to completely isolate a user, so that they can only see themselves as a user and only their host - no other hosts, users, or apps?

Can this be done in the Search app or would it have to be a custom app build, and if so would it have to be one per user?

Splunk Employee
Splunk Employee

It can't be easily done in the search app without significant modification, so that it would pretty much become a custom app anyway.

Splunk doesn't really cater for per-user settings and permissions, instead it's geared towards roles for groups of users. If every user has individual data requirements, and you need them to be strict enough so that users can only see their data and nothing else, then you'll likely end up with a role for each user, and an app for each role.

0 Karma


Yes, this is possible with some planning.

By default, a non-Admin Splunk user will not be able to see other users.

You can configure a custom role that is only able to access a custom index which accepts only data for a certain host.

You can also prevent apps from being viewable by certain roles by setting App permissions in UI or by editing default.meta: