Security

Authorize.conf filtering indexes

rmorlen
Splunk Employee
Splunk Employee

I would like to restrict some indexes from certain role. I can modify the srchFiler in authorize.conf to exclude 1 index but can't see to get it to work for multiple indexes.

srchFilter="index!=abc" works

srchFilter="index!=abc;index!=def" does not work.

Our users have access to all indexes (over 100). We only want to exclude some of the indexes.

Any help would be appreciated.

Tags (2)
0 Karma

somesoni2
Revered Legend

You can use filters like this (no need for semicolon separated values)

srchFilter = NOT (index=abc OR index=xyz)
0 Karma

somesoni2
Revered Legend

Could provide the DEBUG message from the Search Inspector ?
Also, since you're changing the conf file, you're doing refresh/restart of splunk after change right?

0 Karma

rmorlen
Splunk Employee
Splunk Employee

I tried this but it didn't seem to take effect. I could still search index=xyz.

srchFilter = NOT (index=abc OR index=xyz)
srchIndexesAllowed = ;_
srchIndexesDefault = *

0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...