Knowledge Management

datamodel acceleration (TSIDX) & user grants on index


Hi splunkers!

I have a problem regarding TSIDX-Files (acc. datamodels):

when having eg. index1 (production) and index2 (test) - users should have access (grants) to index1 OR index2, but not to both (user1->index1, user2->index2) ... (standard splunk) user roles don't work with tsidx by design, I think ... is there a possibility (or workarounds) to grant access to the specific index for user(role)s when using TSIDX (acceleratored datamodels)?

Greetz, Robert


OK, here it is clue:

I use 2 userroles (rprod, rtest) - inherited from object/role user:


srchIndexesAllowed = 

importRoles = user
srchIndexesAllowed = index1
srchIndexesDefault = index1

importRoles = user
srchIndexesAllowed = index2
srchIndexesDefault = index2

user1 is member of role rprod / user2 is member of role rtest

by default, the user-role has the property:

srchIndexesAllowed = *

and this caused the problem, because I used searches by sourcetype not by index, to be more flexible in customeres usecases ...

0 Karma

Path Finder

So... the solution was not to inherity user role, right ?

As the tsdix are created inside each index folder, when a user runs a query against data accelerated by tscollect, it will return only logs from those indexes right ?

Not both.
Need just to clarify if your second post was the sollution.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>