Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Restricting access to an index

rmorlen
Splunk Employee
Splunk Employee
‎06-10-2014 07:01 AM

I am trying to restrict access for a specific access. (Splunk 5.05) In the case below I don't want the power users to have access to indexes security1 or security2. This doesn't seem to work.
Any suggestions?

In Authorize.conf:

[role_power]

list_httpauths = enabled

rtsearch = enabled

rtSrchJobsQuota = 5

schedule_search = enabled

srchDiskQuota = 3000

srchIndexesAllowed = *;_*

srchIndexesDefault = *

srchFilter = index!=security1;security2

srchJobsQuota = 30

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rmorlen
Splunk Employee
Splunk Employee
‎06-12-2014 10:22 AM

This worked:

srchFilter = index!=security1 index!=security2

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rmorlen
Splunk Employee
Splunk Employee
‎06-12-2014 10:22 AM

This worked:

srchFilter = index!=security1 index!=security2

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-10-2014 08:08 AM

"srchFilter" is a semi-colon delimited list of search filters for a role. In your case you have two search filters: "index!=security" and "security2". These are search terms that will be added to all searches for this role automatically. I suspect you don't want "security2" as a search filter. Perhaps you're looking for something like this?

srchFilter = index!=security1;index!=security2
0 Karma
Reply
Solved! Jump to solution

rmorlen
Splunk Employee
Splunk Employee
‎06-11-2014 04:43 AM

Sorry. It didn't work. Users received the message:
"Error in 'search' command: Unable to parse the search: Comparator '!=' has an invalid term on the left hand side."

0 Karma
Reply
Solved! Jump to solution

rmorlen
Splunk Employee
Splunk Employee
‎06-10-2014 08:13 AM

Thanks. I will give this a try.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...