I would like to restrict some indexes from certain role. I can modify the srchFiler in authorize.conf to exclude 1 index but can't see to get it to work for multiple indexes.
srchFilter="index!=abc;index!=def" does not work.
Our users have access to all indexes (over 100). We only want to exclude some of the indexes.
Any help would be appreciated.
I tried this but it didn't seem to take effect. I could still search index=xyz.
srchFilter = NOT (index=abc OR index=xyz)
srchIndexesAllowed = ;_
srchIndexesDefault = *
Could provide the DEBUG message from the Search Inspector ?
Also, since you're changing the conf file, you're doing refresh/restart of splunk after change right?