Splunk user unable to access datamodel data.


Users are unable to access data from a dashboard. We are using a datamodel to create that dashboard. We have enable read access for this dashboard and datamodel but not to the raw data index. Please help me to provide data access for dashboard to user without giving access for that index (raw data).

Thanks in advance!!

Labels (1)
0 Karma


Although there are some potential workarounds to the issue you describe, the short answer is that you cannot grant access to a datamodel without also granting access to the index. Datamodels are tied to indexes, therefore the searches are also tied to the indexes. This is especially true with accelerated datamodels. If a user attempts to pull search results from a datamodel that is either not accelerated, or the search is outside the range of acceleration, Splunk will default to a "normal" index search.

As I mentioned, there are some potential workarounds (and likely more options than I personally know), but the first solution that comes to mind is to create a scheduled search. Create the search, schedule it to run at a certain day/time, and use the results from this to populate your dashboard. In that scenario, the user does not need access to the index itself.

A better option, in my opinion, is to grant read only access to the index behind your dashboards, but disable access to the default search app. In that way, users will be able to see populated dashboards, but not be able to manipulate the URL in such a way that they can query the index directly.

An upvote would be appreciated and Accept Solution if it helps!
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!