How to restrict access to specific rows?


I have an index with kubernetes logs.
Each log line has a field called namespace with following values

  • prod
  • dev
  • qa
  • test

I want to limit some users, that the can not access lines with value "prod" but each other lines.
How can we do that?


Labels (1)


Hi Joerglang, Not sure if you saw this presentation, but this is what they are doing here in this .conf 2017 talk:

It would be nice to see row-level security natively built in though.

0 Karma


Best practice. Separate you logs into different indexes. Apply normal restrictions at the indexing tier via srchIndexesAllowed in authorize.conf -

I'd suggest not using search filters for a non-metadata based field as they can be bypassed.

0 Karma


Thanks for your feedback.

The problem is, that it is one single log, which has the content with , let me call it, different contextes.

what we are looking for is something like "row level security".

There is s feature for the "splunk connctors for kubernetes" to route logs namespace specific but there is a "topic" on naming convention.

Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...