Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Giving access to Single Shared Summary index for multiple app teama

Karthikeya
Communicator
‎07-26-2025 12:21 AM

Sorry for everyone that I am posting multiple posts for my issue. Just summarising everything here.. please help me with the solution...

we created a single summary index to all applications and afraid of giving access to them because any of them see that there can see other's apps summary data, it will be a security issue right. We have created a dashboard with summary index and disabled open in search. At some point, we need to give them access to summary index and what if they search index=* then their restricted index and this summary index shows up which can be risky. Is there any way we can restrict users running index=*.

NOTE - already we are using RBAC to restrict users to their specific indexes. But this summary index will show summarised data of all. Any way to restrict this?

However in dashboard we are restricting them by a field should be selected then only panel with summary index shows up by filtering. How people handle this type of situations?

We will create two indexes per application one for non_prod and one for prod logs in same splunk. They create 2 AD groups (np and prod). We will create indexes, roles and assign that to respective AD groups and 1 user will have access to both these 2 groups.

Being single summary index, thought of filtering it at role level using srchFilter and service field, so that to restrict one user seeing other apps summary data...Extracted service field from raw data and ingested it into summary index so that it will pick service field values. Then I will use this field in srchFilter to restrict users. We only need summary index for prod data (indexes) not non-prod data...

Below is the role created for non-prod

[role_abc]

srchIndexesAllowed = non_prod

srchIndexesDefault = non_prod

Below is the role created for prod

[role_xyz]

srchIndexesAllowed = prod;opco_summary

srchIndexesDefault = prod

srchFilter = (index=prod OR (index=opco_summary service=juniper-prod)

In other post I received comment that indexed fields will use :: but here these two fields (index, service) are not indexes fields, hence given =

Here my doubt is when the user with these two roles if they can search only index=non_prod if he see results or not? How this search works in backend? Is there any way to test? And few users are part of 6-8 AD groups (6-8 indexes). How this srchFilter work here? Please clarify.. But what if user runs index=non_prod... Can he still see non_prod logs or not?

If there is no other way rather than creating seperate summary index for each application, we need to do it. But is there any way we can do it fast rather than doing it manually? But again I don't have coding knowledge to auomate this.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-26-2025 03:26 AM

Please stop spamming multiple posts - your question has been asked (again) here - you have been given solutions (which you don't appear to want to use). If anyone can come up with alternatives, they will most likely respond here.

0 Karma
Reply

Karthikeya
Communicator
‎07-26-2025 01:35 AM

Checked in chatgpt and authorise.conf doc and written this. Please help whether this will help if user has access to both these roles. they still need to access non_prod, prod, and summary data restricted for their service  

Below is the role created for non-prod

[role_abc]
srchIndexesAllowed = non_prod
srchIndexesDefault = non_prod
srchFilter = index=non_prod


Below is the role created for prod 

[role_xyz]
srchIndexesAllowed = prod;opco_summary
srchIndexesDefault = prod
srchFilter = (index=prod OR (index=opco_summary AND service=juniper-prod))

 

worried about how this srchFilter works across multiple roles (few managers have access to 6-8 AD groups means 6-8 indexes), still they need to see all data including summary data for those 6-8 services.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-26-2025 01:28 AM

Hi @Karthikeya ,

in Splunk, restrictions to access to data is managed at index level, not at app level,

in other words, when  you create a role, you should define the indexes that the role can access: e.g. role1 accesses only index1 and role2 only accesses index2, then you can assign a role or both of them to a user depending on your requirements.

You can do this in [Settings > Roles > Indexes].

In addition, you can eventually add some restrictions on an index (e.g. on the wineventlog index, a role can access only events with a EventCode IN (4624,4625,4634) instead another role all the events in wineventlog index.

You can do this in [Settings > Roles > Restrictions].

Ciao.

Giuseppe

0 Karma
Reply

Karthikeya
Communicator
‎07-26-2025 01:39 AM

@gcusello already we have implemented RBAC restricted access to indexes. Now headache started because of this Single Shared Summary index.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...