Hello,
we are using Splunk v8.1.1
I have one user with multiple roles, so he can access multiple indexes and hosts.
The user need additionally access to one host in a multi-host index.
- role1 -> index1 -> all hosts
- role2 -> index2 -> all hosts
- role3 -> index3 -> one host (foo) of many
So I created a new role3 for index3 and a search filter for the host -> (host::foo)
Owning the three roles the user has only access to the host foo.
How can I limit the access to one host in a multi-host index without affect other roles?
Best Regards
Christian
good question