Security

Authorize.conf filtering indexes

Splunk Employee
Splunk Employee

I would like to restrict some indexes from certain role. I can modify the srchFiler in authorize.conf to exclude 1 index but can't see to get it to work for multiple indexes.

srchFilter="index!=abc" works

srchFilter="index!=abc;index!=def" does not work.

Our users have access to all indexes (over 100). We only want to exclude some of the indexes.

Any help would be appreciated.

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

You can use filters like this (no need for semicolon separated values)

srchFilter = NOT (index=abc OR index=xyz)
0 Karma

SplunkTrust
SplunkTrust

Could provide the DEBUG message from the Search Inspector ?
Also, since you're changing the conf file, you're doing refresh/restart of splunk after change right?

0 Karma

Splunk Employee
Splunk Employee

I tried this but it didn't seem to take effect. I could still search index=xyz.

srchFilter = NOT (index=abc OR index=xyz)
srchIndexesAllowed = ;_
srchIndexesDefault = *

0 Karma