Question says it all. I had pseudo-accomplished this for my users for the last 18 months by removing access to the search app and the search view, so they could use all my dashboards, alerts, and reports but not run their own custom searches.
Now I have a single index that I would like them to have search access to. Is it possible to give my users search access to only one index, but give them dashboard, report, and alert access to a great number of indexes? Or, alternately, can I specify "run as" for dashboards and alerts like I can for reports?
YES! Have a privileged user
setup a scheduled search
on the protected index
and then have the unprivileged dashboard
use | loadjob
or | savedsearch
to load the results of the search run to display in the dashboard.
YES! Have a privileged user
setup a scheduled search
on the protected index
and then have the unprivileged dashboard
use | loadjob
or | savedsearch
to load the results of the search run to display in the dashboard.
One answer:
Summary indexes. Not a lot of fun, but doable
Second answer:
Remove access to the search app and search view, and then create custom search dashboards, with your own query textbox so users can write custom queries (on top of whatever restrictions you want to implement, you can start the query for them). Since the search app and search view access removal is only through the UI, this is not secure.
Third answer:
Have Splunk add this capability. Create role-based dashboard index access vs role-based search index access. Or add "run as" for dashboards like with reports. Or create the ability to restrict search terms but specify if it's a dashboard or search restriction: indexSrchFilter
vs dashboardSrchFilter
.
@nick405060 I think this is also possible through saved searches. Have you tried the following:
Step 1 : Do not give users access to search the index.
Step 2 : Create all dashboard search queries as Report.
Step 3 : Give user access to report.
Step 4 : Reference Report in the dashboard.
This one works , verified 🙂
I don't think you can do that unless the user has access to a specific index or data in the dashboard user can't see any results. You can generate reports and share them. I hope this helps