I have a use-case where a Splunk end-user should only be allowed to search on a subset of events in an index. For example, restrict the end-user to only be able to search for customer's data which the end-user has authorisation to.
Is there a smart way of doing this in Splunk?
I looked into different solutions like Splunk Apps, External Lookup, Custom parameters in OAuth...
Building a new front-end app and use the Splunk search API is one way, however, that is probably not the smartes ways of doing it.
I guess that I'm not the first one that has this use-case.
Access to an index is all or none. Splunk does not have a means for selective access to data within an index. In fact, one of the criteria for creating a new index is different security needs. IOW, each customer's data should be in its own index(es).
You can try defining a search filter (customer=foo, perhaps) for the end user, but that will apply to all indexes and so may not be a workable solution.
Thanks for fast response. As we are talking millions of customers that would not scale.
I'll go for a Splunk API based solution then.
It does sound like a very peculiar use case. Maybe not even very well suited to searching Splunk directly. You definitely should try to engage Splunk Consultant to talk over your needs - maybe you need some form of middleware or a completely different approach to data access.