We'd like to grant access to an additional index to a role, but we only want the members to be able to view 2 sourcetypes in that index.
I added a role called: foo_filtered
I added a search filter of: "service=Amazon OR service=Ebay" to that role
I gave that role access to an index named "vendor"
Their existing role foo_mail has access to search the "mail" and "spam" indexes.
So, when I add the foo_filtered role to their group, ALL searches (regardless of index) apply the filter. I only want the filter applied if they're searching the "vendor" index.
Is this even possible?
This is not possible with the current version of Splunk, unfortunately. You can submit an enhancement request on the Support Portal and they might add it in the future though.
View solution in original post
Is this still true?