Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can i restrict splunk users to a particular index only?

pradiptam
Explorer
‎04-06-2016 02:39 AM

I have a following scenario. I have five users say A , B , C, D & E and i have 5 indexes Index1, Index2, Index3, Index4 and Index5. Can I restrict the users in the following way:

User A -> All activities directed to Index1
User B -> All activities directed to Index2
User C -> All activities directed to Index3
User D -> All activities directed to Index4
User E -> All activities directed to Index5

If i create a role and assign index1, will all data be redirected to index1 and similarly for others.
Till now everything should work, but when i try to upload data, i can see all the indexes why?

Please provide your suggestions regarding the scenario.

Tags (1)
0 Karma
Reply

mprreddy51
Explorer
‎04-06-2016 09:04 AM

Yes, you can restrict the user to search for a particular index or sourcetype below is the example stanza in authorize.conf

[role_abc_user]
importRoles = user
srchFilter = NOT (sourcetype = a OR sourcetype = b OR sourcetype = c OR sourcetype = d)
srchIndexesAllowed = abcd
srchIndexesDefault = abcd
srchMaxTime = 0

0 Karma
Reply

somesoni2
Revered Legend
‎04-06-2016 07:26 AM

By Activity, if you mean searching, then yes all User A searches will be redirected, or better terms restricted to Index1 only.

0 Karma
Reply

pradiptam
Explorer
‎04-06-2016 07:43 AM

Thanks for the reply.

By Activity i mean both searching and uploading data. Searching is getting redirected to 1 Index only, say User A points to Index1 only.

But only thing is while uploading data Say User A uploads data , i cannot remove the " default index" , there i manually select Index1. So any means to hide the default index.

0 Karma
Reply

somesoni2
Revered Legend
‎04-06-2016 08:03 AM

As far as I know rerouting the data to a specific index just based on user is not possible. The data inputs/uploads are not user specific (you can't set sharing permissions on those), hence they would not have access to User attributes likes which index user has access to.

0 Karma
Reply

ddrillic
Ultra Champion
‎04-06-2016 07:07 AM

An interesting related discussion at https://answers.splunk.com/answers/32940/restrict-index-access.html.

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-06-2016 06:16 AM

For a role, you can assign access to one or more indexes. However, this has nothing to do with where log data FROM a particular user is stored.

The fact that you can see everything is perhaps that you are an administrator, and your role has full access?

/k

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...