Solved: How do I limit access to specific events in one in... - Page 2

ips_mandar · ‎11-26-2018

Hi,

I am using OMS add-on. I have one index with one host,source and source type.
Now I want to limit access to specific table like below:-
1. index=idx table=security-----------User1
2. index=idx table=info---------------User2

I am able to create a separate index, but that also causes it to reindex data as one user wants to view all data and not any specific events/table ..So what will be best way to achieve this?

FrankVl · ‎11-26-2018

You could do that by creating separate roles and setting Search Filters for each of those. But search filters based on search time extracted fields are basically not secure, as users have control over the search time extractions. See also: http://docs.splunk.com/Documentation/Splunk/latest/Security/Addandeditroles#Search_filter_format

In general the recommended way to segregate access is by putting data in separate indexes. If you have users that need to access all data, you can do two indexes named like: idx:security and idx:info and then the users that have access to both, can use index=idx*.

View solution in original post

How do I limit access to specific events in one index?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!