Splunk Enterprise

How to hide index data from users searches

rayar
Contributor

Hi

I would like to make specific index data  invisible for all searches but not to actually delete it from the indexer and to keep all data integrations active 

is it possible  ? 

should I do with Role configuration  (Restrict search terms )   or there some other way   ?

If is am using role configuration , will the user see the data if he runs index=*   ?

thanks 

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

So, you can use Search Restriction like below;

index!=sensitive_index

It will filter all data from "sensitive_index" even on index=* searches.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

So, you can use Search Restriction like below;

index!=sensitive_index

It will filter all data from "sensitive_index" even on index=* searches.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

rayar
Contributor

Hi

Currently we are using as below  (All non-internal indexes  marked )

we don't want t change it since the indexes list is dynamic 

rayar_0-1609150764261.png

what you would suggest   ?

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @rayar,

The best and safest way to restrict an index from user searches is specify searchable indexes from roles. You can find details in below document.

https://docs.splunk.com/Documentation/Splunk/8.1.1/Security/Addandeditroles#Specify_searchable_index... 

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...