Splunk Enterprise

How do you execute a search with more privileges as the current user?


We often have events in an index for several customers, but each customer should not see the whole index. I'm looking for a mechanism like the s-bit on traditional Linux systems. E.g. a search, which is called from an origin search, which enforces some filtering rules based on the user running the origin search.

Search Term Restrictions are not flexible enough. Another option which comes into my mind is to implement a custom command in Python which searches via the REST API call and enforces the rules.

Are there any other smart ideas out there?

Tags (1)


One option I had used in the past to restrict 2 diff customers looking at the data from a common index is to define different roles for them along with 'srchFilter' specific to their unique id present in the index/events.


importRoles = user, ......
srcFilter = index=abc customerId=123

srcFilter = index=abc customerId=567

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...