Re: Is it possible to hide the raw data (events) i...

santosh_hb · ‎12-08-2015

I am creating a dashboard that is being accessed by only a particular user. My question is:
Is it possible to hide the raw data (Events). i.e. the user should not be able to see the raw data (Events) that is being used by the dashboard.

As I don’t have the access to Splunk environment here, I am unable to check it for the dashboards.
I am going through the Splunk documentation.

If you have come across this kind of scenario, please share me the details.

the_wolverine · ‎06-01-2016

You can create a role without any srchIndexesAllowed set. The users could be granted read-only permission to these dashboards which are populated by scheduled searches that are run by a privileged user role that can search.

List of minimum capabilities required here: https://answers.splunk.com/answers/216781/what-is-the-configuration-required-to-create-a-vie.html

javiergn · ‎12-08-2015

I guess you could also create an app and tweak the views so that some users can't search at all from that app.
Then create your dashboard and grant them read-only access so that they can only see what you want them to see.

You can also restrict what your users are searching and remove certain fields by appending the "fields - MYLISTOFFIELDS" to your searches (see this)

santosh_hb · ‎12-09-2015

Thanks for the reply.
What I did was, I have hidden the "Open in Search" button in dashboard and also disabled the Drilldown functionality so that user cannot see the raw data.

I have one more point to ask:
Is there any way to restrict the raw data access through setting some user roles in Splunk...

javiergn · ‎12-09-2015

But users can still go to the Search view using the Search button or even typing search after the app name in the URL and then run any search commands there. You need to remove their ability to go the search view by editing the XML permissions and breaking the inheritance. You can do this from Manager -> User Interface -> Views (take a backup first).

If you don't want to do that you can also restrict what your users can search on via user roles. See this

Hope that helps

renjith_nair · ‎12-08-2015

The access restriction for data is done at index level. So even though you restrict the user at dashboard level, user will be able to search the data. If you want to display only few fields for the user, then you should use a different index to populate only selected field or use a search to populate summary index from the original index and build the dashboard on summary index and provide access to user

http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Usesummaryindexing

http://docs.splunk.com/Documentation/Splunk/6.3.1511/Viz/CreateandeditdashboardsviatheUI

---
What goes around comes around. If it helps, hit it with Karma 🙂

jeremiahc4 · ‎12-08-2015

Agree with @renjith.nair. I have implemented the exact setup you are looking for using summary indexing in the past. You create a role for these users, only allow it access to the summary index, then build the dashboards from the summary index. If they go snooping around they won't find anything because you have placed an active control there.

You could turn off drilldown on the dashboard to "mask" the raw data, but it is a passive control that the user could easily bypass by clicking the "Open in search" button on any dash panel.

Is it possible to hide the raw data (events) in a dashboard for restricted users?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?