How to keep users out of Search?


We would very much like to restrict certain users in our Splunk environment to the apps that have been provided to them and prevent them from reaching the Search interface.

We have established separate roles for each app, and assigned to the users to those roles, but are having some difficulty determining exactly which set of capabilities the roles require for the apps to function, but to make sure the users can't reach the search bar.

We remove the "Open in Search" option from the bottom on the dashboard panels, and we would like to remove access to the Search & Reporting app to all but the necessary roles.  We just want to be sure everything still functions for the users in their various apps.

Any guidance would be helpful.


Labels (2)
0 Karma


Hi @DaClyde,

for my knowledge, the only choice is to remove the open in search option in each panle.

Even if adding "search" in the url permits to access the Search and reporting dashboard and it isn't possible to block it.




Thank you @gcusello, I was worried this might be the answer. 

As much as we can, we are leveraging the API to build dashboards into our main website and effectively replicating the dashboards in HTML, pulling the values from Splunk.  That keeps the users out of Splunk entirely and may be the direction we need to go.  


0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...