I have an index with kubernetes logs.
Each log line has a field called namespace with following values
I want to limit some users, that the can not access lines with value "prod" but each other lines.
How can we do that?
Hi Joerglang, Not sure if you saw this presentation, but this is what they are doing here in this .conf 2017 talk: https://conf.splunk.com/files/2017/slides/splunking-with-multiple-personalities-extending-role-based...
It would be nice to see row-level security natively built in though.
Best practice. Separate you logs into different indexes. Apply normal restrictions at the indexing tier via srchIndexesAllowed in authorize.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf
I'd suggest not using search filters for a non-metadata based field as they can be bypassed.
Thanks for your feedback.
The problem is, that it is one single log, which has the content with , let me call it, different contextes.
what we are looking for is something like "row level security".
There is s feature for the "splunk connctors for kubernetes" to route logs namespace specific but there is a "topic" on naming convention.