I have a lookup which contains varying information which is linked to a user field in the lookup. I need a way to to be able to allow users to see this lookup but only see the rows which are linked to their user account.
I can do this in search by using a rest command to pull the users user name and match this to the user field but there's nothing stopping them from just removing the rest line and seeing everything thats in that lookup. I've also tried moving the data into an index and having the rest built into the search filter but splunk doesn't allow subsearches in searchfilter so this also doesn't work.
So i need a way to auto apply the filter whenever anyone tries to access the lookup and/or index, I believe there may be a way to use python to add a role which will allow them to run the filtered search on a dashboard and then remove the role once the search has been completed but my knowledge of python is nil.
Has anyone got any experience with building or working with something similar?
| inputlookup lookup.csv
| search
[| rest /services/authentication/current-context/context
| table username
| rename username as user]