Splunk Dev

Can i restrict splunk users to a particular index only?

pradiptam
Explorer

I have a following scenario. I have five users say A , B , C, D & E and i have 5 indexes Index1, Index2, Index3, Index4 and Index5. Can I restrict the users in the following way:

User A -> All activities directed to Index1
User B -> All activities directed to Index2
User C -> All activities directed to Index3
User D -> All activities directed to Index4
User E -> All activities directed to Index5

If i create a role and assign index1, will all data be redirected to index1 and similarly for others.
Till now everything should work, but when i try to upload data, i can see all the indexes why?

Please provide your suggestions regarding the scenario.

Tags (1)
0 Karma

mprreddy51
Explorer

Yes, you can restrict the user to search for a particular index or sourcetype below is the example stanza in authorize.conf

[role_abc_user]
importRoles = user
srchFilter = NOT (sourcetype = a OR sourcetype = b OR sourcetype = c OR sourcetype = d)
srchIndexesAllowed = abcd
srchIndexesDefault = abcd
srchMaxTime = 0

0 Karma

somesoni2
SplunkTrust
SplunkTrust

By Activity, if you mean searching, then yes all User A searches will be redirected, or better terms restricted to Index1 only.

0 Karma

pradiptam
Explorer

Thanks for the reply.

By Activity i mean both searching and uploading data. Searching is getting redirected to 1 Index only, say User A points to Index1 only.

But only thing is while uploading data Say User A uploads data , i cannot remove the " default index" , there i manually select Index1. So any means to hide the default index.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

As far as I know rerouting the data to a specific index just based on user is not possible. The data inputs/uploads are not user specific (you can't set sharing permissions on those), hence they would not have access to User attributes likes which index user has access to.

0 Karma

ddrillic
Ultra Champion
0 Karma

kristian_kolb
Ultra Champion

For a role, you can assign access to one or more indexes. However, this has nothing to do with where log data FROM a particular user is stored.

The fact that you can see everything is perhaps that you are an administrator, and your role has full access?

/k

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...