Limit access to parts of indexes



Index 1, Role 1
Index 2, Role 2
Index 3, Role 3
.... Etc.

Now I need a new role which give full access to Index 2, and partial access to Index 1, e.g. just to a certain sourcetype.
How do I achieve this? I tried a srchFilters, but its applied to the complete search.
+ If tomorrow someone orders Role 3 in addition it should give full access to Index 1, 3 and the partial access to 2...


0 Karma


Hi Jens,

with the new Splunk 8 you can define a role which gives you partial access to an index.
I mean you can build a role which is based on a given index and then restict the access based on fields of your choosing (sourcetype, host, ...)

Best regards

0 Karma


After going through this previously, I believe the comments by @adonio are valid here!

Because of the way Splunk is designed, at least as of version 7.1.x, the index access controls are per-role, there is no method to control access to part of an index or a particular sourcetype within an index.

The srchFilter option allows you to change a query in the search screen of the user, so for example if the search filter is:

index=X OR (index=Y sourcetype=Z)

Then if the user searches for anything that will be added to the search behind the scenes, there are a few issues with search filters in my opinion:

  • In older versions of Splunk you could bypass a search filter by using particular types of knowledge objects, I have not tested in newer versions
  • If the user is a member of a role with a search filter, then all roles the user is in must include the search filter (see below)
  • They make the searches very ugly...ok this probably isn't a major issue but you might care about it if you use the job inspector

For those last two points refer to:
How users inherit search filter restrictions

How users inherit search filter restrictions

You can create roles that inherit the characteristics of other roles. Users assigned to multiple roles inherit properties from the assigned roles.

In the case of search filters, if a user is assigned to roles with different search filters, the filters are all combined and thus the restrictions of each role are applied.

For example, by default, the Power and User roles do not have search filters defined to restrict searches. If a user has a combination of these roles and another role with filters defined (for example, srchFilter=x), the user will inherit the restrictions of that role, despite the association with roles that have no filter. 

For example if I created a role A, and B, role A has access to index X and "srchFilter=index=x sourcetype=Z", role B has no search filter but has access to index Y, I provide a user roles A & B, I then run a search such as:

index=Y test 

This becomes:

litsearch (index=Y test index=X sourcetype=Z) 

Therefore the search will not return results!
To summarise if you use search filters, you will have to use them on every role a user might be added to, they can be bypassed (or at least they could in older versions of Splunk), and the configuration will quickly become ugly!

In terms of solutions I cannot offer any easy options here, as per the suggestions either re-thinking the index strategy, relaxing the access to data within the index, or summary indexes are all valid options...

Good luck, please accept the answer or up-vote if it helps as it does take a lot of effort to write posts like this!

Ultra Champion

hello there,

i think you are in the right direction using search filters
Role 4, index = 1 OR (index = 2 sourcetype = foo)
read here more:

hope it helps

0 Karma


Hello Adonio,

thanks for your speedy reply, that would indeed work, but its not feasible for us.

1.) Ownership for Index 1 might be different. So the Owner of Role 4 might not be allowed to grant access to index 1, which he/she would give implicit.

2.) We do not want to modify the Splunk config for every possible combination. So the access to different indexes should still be controlled by different roles. Not my modifying Role 4 all the times.

0 Karma

Ultra Champion

you can use summary index ...
create a search that capture the pieces of data form index 1 and populates summary index 1.
have your new role see the new summary index and anything else it need to see

0 Karma


Hello Adonio,

thanks for you passion into this.
But if you think a minute about this, I am sure you will agree that this is not a good approach.
And the overhead is just one bad aspect.

0 Karma

Ultra Champion


whether this approach is good or bad or somewhere in between is for the user to decide. i thought about it plenty, you are not the only one that encountered this challenge.
Doesn't matter if i (or you) like it or not, this is how Splunk handles RBAC and the options i suggested above are the common workarounds...
Another approach you can consider is to "double index" the portion of data you want Role 4 to access, by routing and filtering data. challenge here is that it will cost you double license.
Will be more than happy to see if there are other ideas / solutions / workarounds to your challenge.

all the best

0 Karma

Ultra Champion

Absolutely, that was my thinking as I went through the thread. However, too much overhead in managing these summary indexes...

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...