Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you execute a search with more privileges as the current user?

FritzWittwer
Contributor
‎01-11-2019 02:20 AM

We often have events in an index for several customers, but each customer should not see the whole index. I'm looking for a mechanism like the s-bit on traditional Linux systems. E.g. a search, which is called from an origin search, which enforces some filtering rules based on the user running the origin search.

Search Term Restrictions are not flexible enough. Another option which comes into my mind is to implement a custom command in Python which searches via the REST API call and enforces the rules.

Are there any other smart ideas out there?

Tags (1)
Reply

lakshman239
SplunkTrust
SplunkTrust
‎01-11-2019 02:54 AM

One option I had used in the past to restrict 2 diff customers looking at the data from a common index is to define different roles for them along with 'srchFilter' specific to their unique id present in the index/events.

//authorize.conf

[role_cust1]
importRoles = user, ......
srcFilter = index=abc customerId=123

[role_cust2]
srcFilter = index=abc customerId=567

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...